The Latest Word (but Probably Not the Last Word) on Password Security
3 min read
You may not know it but the US Department of Commerce has a bureau called the National Institute of Standards and Technology (NIST for short) that developed the password standards we have been using for quite some time. The one sure thing you can count on from technology, however, is that things never stand still. After gathering and analyzing a serious amount of data, and looking at the fluid and evolving world of cybercrime, NIST’s researchers have come up with some new thoughts about what techniques work and which do not in terms of safe passwords. As a managed IT support company, we pay close attention to their reporting and as we now know, much of what the public has been assuming were best practices in password security, may not be that way anymore. Here are the newest recommendations:
Passwords 8 characters long are now the minimum, although MUCH longer is suggested. Shorter passwords are just too easy to crack. The researchers found that length of passwords are the single most important factor is keeping them safe.
Hang up those %s, and #s and @s. Yes, most websites these days insist upon you using “special characters”, but the NIST folks discovered that they just don’t help. To the cybercriminal, that special character is just another letter to run through the cycle…and they make it much harder to remember your passwords.
Use multiple words. Single long words (antibacterial, hippotamus, influenza) are not as good as several unconnected words strung together (cantaloupegluenose, concreteparrotphone) work better. These are called “passphrases” instead of passwords. Super long words like FLOCCINAUCINIHILIPILIFICATION may work, but then you have to remember them…good luck.
The use of sequential or repetitive characters is still a no-no. 1234abcd, qwertyuiop…seriously? The bad guys figured out how to get past those a long time ago.
Using your username, or the name of your website, as a password is too easy to guess. Yes, it might add complexity and length, but cybercrime algorithms will see through them.
“Hints” just make it easier to figure things out. Mom’s maiden name, daughter’s birthday…it’s just too easy to steal public and non-public records and let complex programs piece things together.
This one will surprise you: your passwords do NOT need to be changed all that often UNLESS you think you clicked on a suspicious link or if your computer got infected, etc., etc. Why not change them often? Well, changing them in and of itself isn’t a problem, except that when people do, they tend to begin to take the easy way out and make them shorter, or similar, and that defeats the purpose. Example: first password: n#we$12, next time: n#we$13, etc.
Use a good password manager. If you really want to do it right, use a password manager. As a managed IT support company, we strongly recommend Kasaya’s AuthAnvil, which provides complete identity and access management solutions, including credential management along with password auditing and reporting. This will give you complete control and you can rest assured knowing that the “keys to the kingdom” are safe and secure.
As always, we are here to assist. Give us a call at 777.569.4400
if you have any questions, visit our website: www.novatech.net