Credential management best practices

Accounting for human error is an important part of creating a safe computing environment. According to the 2022 Verizon Data Breach Investigations Report, stolen passwords, phishing, or human error are responsible for 82% of reported breaches. Ensuring you and your employees have strong credentials and credential management habits can go a long way in keeping you safe. When was the last time you updated your passwords or changed your RaaS API key? Do your Rewards Genius (non-SSO) users change their passwords regularly?

It’s important to update your keys and passwords, as they provide access to important data. Some people never change their credentials, or they recycle the same credentials for many different applications or online accounts. Not changing a sensitive system credential at a frequency commensurate with the risk of it leaking or using the same credential for many online applications isa dangerous practice. If the credential is leaked, think of the access an unauthorized user would have such to the modification or addition of users or funding and orders. Good credential management starts with understanding the best password practices and why you should keep credentials updated.

What are the best practices for credential management?

  • Longer credentials are better than shorter, complex passwords. User passwords should be 12 characters long at a minimum and not easily guessable.
  • API keys should be machine-generated with a cryptographically secure algorithm.
  • Avoid recycling the same credentials across multiple accounts.
  • Don’t share your credentials with others.
  • Use a password manager to ensure credentials are encrypted when not in use.
  • Check whether your credentials have previously been stolen. You can use Mozilla’s Firefox Monitor or Have I Been Pwned tool.

Why would I want to change my credentials?

The rules of changing credentials have been driven by regulations or standards bodies. Some of them may recommend credential changes every thirty, sixty, or ninety days (depending on what the credential is used for, how often the account is accessed, and credential complexity). There are also guidelines according to the National Institute of Standards and Technology (NIST) summarized in this article.

TheNIST recommends resetting credentials only when necessary. So when is it necessary to change a credential?

  • When you suspect or know the credential has been compromised.
  • If you use a password manager to store the credential, and the password manager has been breached.
  • When an employee with access to the credential has departed from the company.
  • When you know the credential provides powerful access to sensitive things. An extra layer of protection of changing the credential is performed at a rate commensurate with the company’s risk tolerance.

How do I change my Rewards Genius user passwords?

  1. Navigate to the “forgot password” page on Rewards Genius.
  2. Enter the email address associated with your account and click Return to log in.
  3. You will receive an email with a link to reset your password.

How do I change my RaaS API key?

Checkout our help center to learn how to change your API key or follow the steps below.

  1. Click the blue Account button in the top-right corner to access the API Keys section.
  2. Then click Settings and select Manage under API Keys.
  3. Click Generate API Key. Only two (2) API keys may be active at any time. (Note: Using a Production API key will result in live funds being used to send rewards.)
  4. Keys are masked by default. Click the eye icon to unmask the key and copy it to your clipboard.
  5. Deactivate an active key by clicking Deactivate API Key. (Note: Deactivating an API key requires you to acknowledge that doing so may break any integrations using that key.)
  6. View event logs for each generated API key toward the bottom of the API Key page, including when keys were created, viewed, and/or deactivated. (Note: If you are looking for your Platform Name, you can find it in the upper left corner of your portal (i.e. the Platform Name for this portal is: ANDemo)

Is Tango right for you? Let's talk.

Now you know why Tango is trusted by companies around the world. It’s time to discover how Tango can work for you.