27 Apr Stay Safe with New Password Guidelines
This year World Password Day falls on May 7th. Normally I don’t think about there being a day for password awareness; for me that’s every day. However, this year I’ve been socially distancing and have more time to think, so here are some new guidelines and thoughts about passwords. Now that most of our sensitive accounts are using multi-factor authentication we should perhaps change the name of the day to Authentication Day. On that note I hope you have enrolled in multi-factor authentication for any important on-line accounts like email, financial, or anywhere there is online information that crackers could use to compromise other accounts, and compromise your identity or gain financial access.
Even with multi-factor authentication our passwords are still important and guidelines for password management have evolved with the sophistication of attack scenarios. Here are some of the best practices based on the current National Institute for Standards and Technology guidelines. Some of them are surprising given previous recommendations for password security.
Making Strong Passwords
- Remove periodic password change requirements
There have been multiple studies showing that frequent password changes are actually counterproductive to good password security.
- Algorithmic complexity is no longer recommended
Just as with the password change requirements, studies have shown that requiring combinations of upper case, numbers, and symbols does not lead to improved password security. Variations of letter case including numbers and symbols are still recommended but we don’t have to go overboard on complexity.
- Password novelty is vital
Attackers use lists of previously chosen passwords. This works because most people aren’t very good at coming up with a novel password (one that has never been used before). To get around this, you should choose your password by finding some random text and choosing a phrase out of it. Random text could be a random spot in a book or magazine, or https://en.wikipedia.org/wiki/Special:Random. Such phrases tend to be easy to memorize and importantly, novel. A phrase such as “field of contract” could provide the password FieldOfContract, or for systems that still require complexity, FieldOfContract-1.
- Password length is important
The recommended length of passwords keeps going up; currently we recommend at least 12 characters. Choosing a phrase using the system above will provide at least as much strength as 5xYY!.3blT and much harder to crack because it has more characters.
- Avoid reusing passwords and password “patterns”
Crackers are looking for reused passwords. Many systems have been breached over the years, and there are lots of credentials (username, real names, emails, and passwords) for sale on the Dark Web. An attacker targeting you might get some password you used in the past, and start trying it on your current accounts. Adding the year to a root password, or the month, or the name of the site will not help – if an attacker knew that you used “MyGreatPassword2017-AMZN” on an Amazon account in the past, they will definitely try “MyGreatPassword2020-CITI” on your bank account.
- If it’s on-line, important, or could be used to leverage access then turn on multi-factor authentication
Sorry but it’s just a fact of life now: to be reasonably safe from cracking we need to be using multi-factor authentication. Without it, crackers have a pretty good shot at your accounts. Set up properly it really isn’t a huge hassle, just something to adapt to.
Managing passwords is daunting, especially when we are trying to keep them secure. There are many free or inexpensive password managers that will generate and remember unique and long passwords for you. The best part is they will enter them into your web sites and applications, no remembering, and no typing long passwords. Some of the key players in the password manager space are LastPass, RoboForm, Dashlane, and Keeper. A good password manager can save a lot of headaches. It’s important to stick with the big players for password management: getting this right is hard, and the big ones have been well tested over time. Other systems, such as those built into browsers, are less secure and can be more easily compromised. Using one of the mainstream applications helps protect you from your password manager getting cracked or losing access yourself.