It’s World Password Day!
That time of the year when all IT people get together and remind the whole world that we all suck at passwords. Did you know that 123456 is STILL the #1 most common password! How in the world is this still the case! They say insanity is doing the same thing over and over again and expecting different results, so I guess that means we are all insane! HA! But really, we have some great news for you and a couple of tips as well!
First, the good news! It’s not recommended that you reset your password every 90 or 120 days. The new research says don’t reset your password unless you need to – BUT – you need to use a good password. Here are a few of the newest NIST (National Institute for Science and Technology) Password Guidelines:
Quick NIST Password Guidelines
Length is better and complex!
User-generated passwords should be at least 12 characters in length (check out the picture below to see why!). We suggest you create a password using 3 or 4 random words. And the best way to pick those words is to put yourself in a familiar place, like your living room or your office. Look at the walls and pick 3 or 4 random objects - BOOM – new password. It’s really hard for a computer to guess WhiteboardTableStaplerKids but you can remember looking at those objects pretty easy.
Passwords should not expire
This is pretty straightforward, but it’s also great news that you don’t have to set your passwords in your company to expire every X days. We would caution that certain regulations haven’t caught up to the new guidelines, so it might cause a compliance issue if you DON’T change your passwords. Make sure to check out any regulations that your business operates under.
Users should NOT use sequential (ex. “1234”) or repeated (ex. “aaaa”) characters
Back to the first point, while length is better than complex – you can’t use a stupid password! This is 2021! We fought off Covid-19 with a bit of facecloth and some Lysol! We can do better with our passwords!
Two-factor authentication (2FA) should not use SMS for codes
This means you should be using an app like Authy, Microsoft Authenticator, or Google Authenticator anywhere you can instead of having a text sent to you cell)
Knowledge-based authentication (KBA), such as “What was the name of your first pet?”, should not be used.
This means don’t do all those stupid Facebook quizzes about what kind of power ranger you are or ‘What’s the first car you broke 100 in?’ Those quizzes and sites are often used to find out social information and break into sites that use KBA authentication for password resets (i.e. your BANK).
Passwords should not have hints
See above! If you have hints, I can probably guess it because you love to fill out silly info and give away all your personal information. I can look at your Facebook and get all your kid's names, and then google them to see what date they were born. Boom. I just guessed half your passwords.
Users should be allowed 10 failed password attempts before being locked out of a system or service
Pretty straightforward – Don’t let people keep hacking away at your accounts. They should lock after 10 failed attempts. This makes it hard for hackers to ‘Brute Force’ your accounts and on top of that, it raises a red flag if your account keeps getting locked. Someone is probably trying to hack you!
Complexity requirements should not be used, ex. requiring special characters, numbers, uppercase, etc.
Oh, happy day! See point #1 above! Length is king, people aren’t great at complex and we all do the same things, like using @ for a and ! for i. Computers can guess these pretty easily!
Context-specific words, such as the name of the service, the user’s username, etc. should not be permitted
You shouldn’t use your email, username, or the service your logging into as part of your password! Back to Point #1 and how to create a good password!
The NIST guidelines have more extensive guidelines, but it makes for boring reading! If you can implement the above guidelines you're taking the first steps in really protecting your business and your clients. A few other tips we always tell people to implement, both in the business are home are:
Use a password manager
We all know we shouldn’t use the same password for multiple sites, but it’s HARD to remember them all. So get a password manager to let it do all the remembering for you! There are several great companies out there, and if you’re a client of ours, we give you access to a great one for your business as part of our CompleteCare service!
Turn On 2FA (2-factor authentication)
NIST says you shouldn’t use SMS (texting) as your 2FA code because it’s easier to hack, but you absolutely should use 2FA everywhere you can and if the website or app doesn’t support an authenticator app like Authy, then use SMS. 2FA with SMS is still better than no 2FA!
Get a service to monitor the dark web for stolen passwords
This is starting to get more widespread, and Google and Microsoft will often check the dark web for stolen credentials while you create a new password for their accounts, and tell you if you shouldn’t use it. We also suggest a dark web monitoring service for business, so you can monitor your whole domain. The premise behind these services is that if ANY account associated with your domain ([email protected]) has a stolen password for sale, then you get notified so you can get them to change it and stay a step ahead of the bad guys! More Good news – We provide this service to our CompleteCare and CyberCare customers!
And just for fun, here is a cool graphic that shows how long it will take for someone to hack your password based on length and complexity. If you look at 12 characters you will see why we recommend that length, because even with a low complexity password (just letters) it will still take 600 years to hack!
How long does it take for your password to be cracked?
