A password policy designed specifically for federal agencies should be secure, right? Surprisingly, that hasn’t been the case. According to the National Institute of Standards and Technology (NIST), an arm of the U.S. Department of Commerce, many of the current best practices are misguided. These password policies, set by NIST, have become the national norm, yet they have been quickly outpaced by modern technology.
The Problem
The issue isn’t necessarily that NIST advised people to create passwords that are easy to crack, but it did steer people into creating lazy passwords using capitalization, special characters, and numbers that are easy to predict (like “P@ssW0rd1”).
This may seem secure, but these strings of characters and numbers could easily be compromised by hackers using common algorithms.
To make matters worse, NIST also recommended that people change their passwords regularly, but did not define what it actually means to “change” them. Since people thought their passwords were already secure with special characters, most only added one number or symbol.
NIST essentially forced everyone, including you and your colleagues, to use passwords that are hard for humans to remember but easy for computers to guess.
The Solution
One cartoonist pointed out just how ridiculous NIST’s best practices were when he revealed that a password like “Tr0ub4dor&3” could be cracked in only three days while a password like “correcthorsebatterystaple” would take about 550 years.
Simply put, passwords should be longer and include nonsensical phrases and English words that make it almost impossible for an automated system to make sense of.
Even better, you should enforce the following security solutions within your company:
- Multifactor Authentication – which only grants access after you have successfully presented several pieces of evidence
- Single Sign-On – which allows users to securely access multiple accounts with one set of credentials
- Account Monitoring Tools – which recognize suspicious activity and lock out hackers
What is multifactor authentication, and why do I need it?
Create a strong password
Do
- Always use a password
- Use a strong, separate password for your email account
- To create a strong password, simply choose three random words. Numbers, symbols and combinations of upper and lower case can be used if you feel you need to create a stronger password, or the account you are creating a password for requires more than just letters
- There are alternatives, with no hard and fast rules, but you could consider the following suggestions:
- Choose a password with at least eight characters (more if you can, as longer passwords are harder for criminals to guess or break), a combination of upper and lower case letters, numbers and keyboard symbols such as @ # $ % ^ & * ( ) _ +. (for example SP1D3Rm@n – a variation of Spiderman, with letters, numbers, upper and lower case) However, be aware that some of these punctuation marks may be difficult to enter on foreign keyboards. Also remember that changing letters to numbers (for example E to 3 and i to 1) are techniques well-known to criminals
- A line of a song that other people would not associate with you
- Someone else's mother's maiden name (not your own mother's maiden name)
- Pick a phrase known to you, for example "Tramps like us, baby we were born to run," and take the first character from each word to get 'tlu,bwwbtr'
Don’t
- Use the following as passwords:
- Your username, actual name or business name
- Family members’ or pets’ names
- Your or family birthdays
- Favorite football or F1 team or other words easy to work out with a little background knowledge
- The word ‘password’
- Numerical sequences
- A single commonplace dictionary word, which could be cracked by common hacking programs
- When choosing numerical passcodes or PINs, do not use ascending or descending numbers (for example 4321 or 12345), duplicated numbers (such as 1111) or easily recognizable keypad patterns (such as 14789 or 2580)
9 Security Best Practices You Should Implement Immediately
