Don’t Take a Pass on Secure Password Guidelines
Today almost everything you do—and almost all information about you—is on a computer or a website connected to the internet. And nearly all businesses, from your doctor’s office to your mechanic, rely on computers and digital information to serve you and their other clients. So protecting this sensitive information with solid password guidelines should be a no-brainer.
Which is why it’s scary to see that research shows that the 25 most common passwords in 2019 include “123456,” “Google” and… wait for it…
It’s no wonder that identity theft and ransomware attacks are so common and successful. Occurring on a daily basis, they impact businesses and individuals indiscriminately. Since October is National Cybersecurity Awareness Month, there’s no better time to discuss the newest recommendations for password guidelines.
I mix letters, numbers, symbols… so I’m safe, right?
The traditional approach to password guidelines is to require at least eight characters with a mix of capitalization, numbers and symbols. So for a hacker with the ability to crunch numbers (called a brute force attack), ”password” (which can be cracked instantly) could become “P@ssw0rd” (which would take up to nine hours to decipher).
Now if brute force is all a hacker has, you’ve bought yourself a little bit of time. But hackers know that “password,” or a variation of that word, is often used. So they conduct complex attacks that start with all the variations of password before continuing with every other word in the dictionary. This is called a dictionary attack.
It doesn’t stop with basic dictionary and brute force attacks. If you or your company is being targeted, an attacker will do his or her research—and hackers are very, very good at research. They will scour your social media activity, and that of your friends and contacts, looking for anything they can use to build a custom dictionary of possible passwords.
They might also launch spear phishing attacks, which are targeted emails designed to trick you into divulging your password. By including or referencing the information found in their research, hackers make these emails look like they come from trustworthy sources.
They can also use the information they’ve found to do a vishing attack, which is a misleading solicitation by phone. Often the hacker will call a vendor you use regularly to gain access to your password. (Check out this video example of a successful vishing attack.)
So the short version of this long answer is… no. Merely mixing letters, numbers and symbols into your password will not keep you safe.
How complex do I need to make my password?
The primary goal of a more secure password is to prevent the unauthorized access of your user account without negatively impacting your ability to work. You want it to be hard to guess but easy for you to remember.
A common problem with the traditional complex password is that it’s hard to remember, so people write it down and re-use the same passwords across multiple places. Bad guys know this, so if they ever crack one they try it everywhere. Additionally, with the ever-increasing processor technologies in computers, these passwords are broken more quickly than ever.
Given these factors, there are new recommendations based on guidelines from the National Institute of Standards and Technology (NIST) for creating passwords to protect your information. While not all service providers currently support all of these recommendations, we encourage you to get as close as you can to the following guidelines:
- Use a longer, personalized password (sometimes called a passphrase) with a 16-character minimum length requirement (e.g. “make my password strong” vs. “password”), with a longer passphrase being better.
- Encourage complexity requirements with special characters, capitalization and numbers. That said, length is more important (for example: “Make ^y P@ssw0rd strong” is much safer than “P@ssw0rd123”).
- Use different passwords for different sites and services. This limits the scope of your risk if one of your passwords is compromised.
- Require mandatory password changes less frequently or only when a compromise is suspected. This will make users less likely to reuse old passwords in an effort to remember them better.
- Ban common passwords and phrases, such as “We the People”, “P@ssw0rd”, “google” etc.
- Ban weak or easily guessed passwords, such as:
- Common names and their variations
- Pet or family names and their variations
- Anything that can be referenced on your social media
- Use multi-factor authentication when it’s available (for example, a passphrase and a PIN to your cell phone).
- Set accounts to lock after a few failed login attempts (up to six tries).
Additionally, we recommend that staff passwords not be kept by management or other staff members. The use of a password vault—a system that keeps passwords in a secure digital location—could also add significant protections to your corporate accounts.
A list this length might seem daunting, but comprehensive password guidelines are an important part of keeping your network safe. The Technology Solutions Consulting team at James Moore & Company can help you make sense of these recommendations and help you develop guidelines of your own—so your passwords can remain safe from harm yet accessible to authorized personnel.