Many of us have been using a password of between 8-12 characters with triple complexity for a number of years now. By triple complexity we mean upper/lower case letters, with the addition of numbers or special characters such as &*^%. The US National Institute of Standards and Technology (NIST) initially campaigned for this format and it's adoption has become commonplace worldwide. Now, they say their advice was mistaken and we need to adapt to new formats until passwords are phased out...
The Problem
The issue isn’t necessarily that the NIST advised people to create passwords that are easy to crack, but it steered people into creating lazy passwords, using capitalisation, special characters, and numbers that are easy to predict, like “P@ssW0rd1.”
This may seem secure, but in reality, these strings of characters and numbers could easily be compromised by hackers using common algorithms.
To make matters worse, NIST also recommended that people change their passwords regularly, but did not define what it actually means to “change” them. Since people thought their passwords were already secure with special characters, most only added one number or symbol.
NIST essentially forced everyone to use passwords that are hard for humans to remember but easy for computers to guess.
Recently, the institution admitted that this scheme can cause more problems than solutions. It has reversed its stance on organisational password management requirements, and is now recommending banishing forced periodic password changes and getting rid of complexity requirements.
The Solution
Security consultant Frank Abagnale and Chief hacking officer for KnowBe4 Kevin Mitnick both see a future without passwords. Both security experts advise enterprises to utilise multi factor authentication (MFA) in login policies.
This requires users to present two valid credentials to gain access to their data. For instance, a code texted to an employee’s smartphone can serve as an added security measure to thwart hackers.
Moreover, Mitnick recommended implementing long passphrases of 25 characters or more, such as “correcthorsebatterystaple” or “iknewweretroublewhenwalkedin5623”. These are much more difficult to guess and less prone to hacking. As for the frequency of changing passphrases, it will depend on a company’s risk tolerance.
Simply put, passwords should be longer and include nonsensical phrases and English words that make it almost impossible for an automated system to make sense of.
Even better, you should enforce the following security solutions within your company:
Single sign-on – allows users to securely access multiple accounts with one set of credentials
Account monitoring tools – recognises suspicious activity and locks out hackers
When it comes to security, ignorance is the biggest threat.
Diamond's recommendation
In our blog on "How to select a secure password" from early in 2018 you'll find these same recommendations, without the suggested withdrawal of what we called Option 1, the 8-12 character password with multiple complexity. Option 2 from our blog matches the new recommendations from the US NIST.
We'd like to re-enforce the importance of Multi-Factor Authentication. A good password teamed up with a 2nd or 3rd form of authentication makes your account VERY hard to break into.
Talk to our Business Technology Managers
Our Business Technology Managers can advise you on a number of ways to improve your security practices. Give us a call on 1300 307 907 or contact us via the form below.
Published with permission from TechAdvisory.org. Source.