Rethink Your Password Creation Strategy

Posted by Ben Fraley on September 5, 2017 at 1:55 PM
  • Must be at least 6 characters
  • Must contain upper and lowercase letters, a number, and a symbol
  • Must change every 60 days

Sound familiar? These have been standard rules for password creation for decades. The National Institute of Standards and Technology (NIST) is the government organization behind these familiar password rules, and just earlier this year they annouced that their official standards and recommendations are going to be undergoing a major re-write. They've sought advice from cybersecurity experts and have been open with their development of a new standard for passwords. While not yet official, here is a look at the major cybersecurity themes in the drafts of the new regulation:

Length is more important than complexity. Let's take a step back and think about how a hacker might crack your password. A very common tactic is to "brute force" a password by simply having a program guess password after password as fast as it can. These guesses will use commonly used passwords, and they are smart enough to guess that "s" that you replaced with a $ symbol. The shorter a password is, the less time it takes for a program to successfully crack it. As a result, NIST is now recommending that a longer password, even if it is all letters or all numbers, is preferable.

Think passphrase, not password. Another common method of password cracking is known as a dictionary attack. This is a more targeted version of a brute force attack, where instead of trying all possible combinations, it first tries actual words and their symbol replacement versions, like "aardvark" and "@@rdv@rk." Using a series of short, unrelated words makes for a great passphrase, because it is easy to remember, fast to type, but hard for a password cracking program to guess. A great example would be "Pencil8Cricket4Hambone."

Password expiration does more harm than help. Being forced to come up with a new password on the spot every time a password expires plays right into the hands of a hacker; it causes newly set passwords to be less secure than they can be. People will very often end up re-using a password from a different account because they have that password memorized. This is not a good idea because now if that password is cracked, a hacker can get in to both of those accounts. Another action that a person often does when faced with a password expiration is to simply increment their password from "hunter2" to "hunter3," and so on. So many people use this method that it makes the point of password expiration moot. Password expiration is a pain to both IT admins and their coworkers, and we should start to see this requirement go away over the next few years as other regulations and industries adopt NIST's new standards.

Use multi-factor authentication when available. Many people have used a form of multi-factor authentication (MFA) before, likely when logging in to your online banking where they then send an SMS text message with a confirmation code. This is a basic and early form of multi-factor authentication. The gist of MFA is "something you know + something you have." It is a much more effective means of proving you are you than a simple password. The password is the "something you know". The second factor (the "something you have") can be many things: your phone, a fingerprint reader, facial recognition, an alternate email address that is sent a one-time code, or even a dedicated MFA key fob device. Many websites and services offer MFA as an opt-in service for their user accounts, especially those that might save your credit card information for autopay. Check out your "My Account" page for your web services to see if you can enable MFA. There are a few smartphone apps that can help with MFA, too. Try out Google Authenticator, Microsoft Authenticator, or Authy.

As a last recommendation, Self-assess your current passwords. Do your passwords follow these general guidelines? Do you have a unique password for each account? Have you turned on multi-factor authentication where possible? Integrity recommends the use of a password management program like LastPass, DashLane, or KeePass. Password managers can help you keep track of all your unique, longer passwords, help you generate them, and even give you a "security score" to rate your password strength as well.

Try out these new tenants of account security, and your online presence will become much more protected! If you'd like to learn more about these new upcoming standards, and what else that you can do to secure your organization's data, contact Integrity Technology Solutions today!

Topics: Featured Blog Post, Tech Trends, Security