Last year, the National Institute of Science and Technology (NIST), released new standards for password security. Federal agencies, contractors and Fortune 500 companies use NIST’s standards as the gold standard guideline for securing digital identities.
Traditionally, password complexity and change-frequency were the generally accepted standard. A mix of uppercase, lowercase, numbers and symbols, combined with forced password changes every 90 days or so. But the new school of thought is that this advice may make you more vulnerable for several key reasons.
Complexity isn’t enough
Today, sophisticated password cracking software is sold to the highest bidder. This software is getting better every day and can run through complex combinations very quickly. For example, it is now being ‘trained’ using lists of the millions of stolen passwords on the open market to make better guesses using the passwords and/or patterns found in passwords most commonly used first. Password cracking software can view social media, search engines and other channels to ascertain key information like birthdays, neighborhoods and pet or relative names. Artificial Intelligence being used for evil, fantastic!
What this means for you is that if you are using common words like password or your first name, address, birthday, etc. or variations, it will likely only take a thief a few seconds to break into a system.
90 day password changes reinforce bad habits
One unintended consequence of changing passwords every 90 days is “memory burden”. If you have to change it so often, why bother even memorizing it in the first place? Many fall back to using common passwords due to fatigue, some use sticky notes next to their monitor or under their keyboard.
In the New Standards, longer “passphrases” and fewer expirations is better
The new NIST standard recommends a longer “passphrase”. Somewhat of a secret or inside joke sentence, rather than a word.
NIST recommends that these passwords NEVER expire in most cases (unless reacting to a breach), assuming that a single tricky password will be harder to figure out than a changing password that grows simpler each time you change it, or recycles old passwords again and again.
What these new standards don’t fix
Using a long passphrase doesn’t make you any more secure if you use the same password multiple places! It is important to diversify your passwords significantly. A password management application like LastPass or Keeper can make this much easier.
Implement Multi-factor Authentication (MFA)
Multi-factor Authentication, also known as MFA, or 2FA, is an added layer of security for your online identity. What it does is, require that you respond to a prompt or provide a code to prove that you are the person who is logging in at any given time. This makes it harder for any malicious actor that may have access to your username and password, to gain control of those online services. In most cases, it Multi-factor Authentication uses an app on your smart phone to provide a code or notification, but it can also be a text message or a phone call.
How Do I Make a Good Password?
Our recommendation would be to create a password that is no less than 12 characters in length, and contains a variety of characters. Do Not use consecutive letters (i.e. abc. qwerty, etc.) or consecutive numbers (i.e. 123, 098, etc.), or repeated numbers and letters (i.e. 111, 555, vvv, ssss, etc), as well as known passwords (i.e. Password1!, etc.). It’s also recommended to avoid anything related to his personal life or work life. All this information can be easily enumerated (found) online. Most importantly to NEVER use a password that has been used before, NOR a variation of old passwords.
Happy Password Creating!
Nobody likes passwords, but the need for cybersecurity is a fact of life and is only becoming more relevant. Here’s a great article on the topic that we referenced in this blog, as well as a video and comic for our visual learners. If you would like to learn more about the options available from Upward to secure your environment, contact us today!