Could you or your business recover if your passwords were compromised and your private information was open to malicious exploits? Passwords have become the literal keys to our lives. They stand between our important, confidential personal and business data; and for many, their very livelihoods!
Recently the National Institute of Standards and Technology or “NIST” released NIST Special Publications 800-63-3, 800-63A, 800-63B and 800-63C. These publications are Digital Identity Guidelines and are considered to be the authority for user accounts, e-mail accounts, passwords and authentication.
These publications along with a few other publications from vendors like Microsoft over the last few years have changed the way credentials and authentication is viewed. We’re going to review the basics in this article in order to educate and save our friends, customers, future customers and people in general some time of reading the technical publications.
Traditional password requirements can be broken down into a few different categories:
- Length of password (e.g. how many characters)
- Complexity of password (e.g. special characters)
- Duration of validity (e.g. when it expires)
These stringent requirements frequently result in completely opposite results than what are intended which poses it’s own set of significant security risks. In regards to length and complexity, these passwords are difficult to remember so they’re often written down or stored in an unsecured fashion on the user’s computer. When a user is forced to change their password arbitrarily (e.g. passwords expires every 30 days), they typically only change one character of the password and this causes predicable patterns. For example ‘P@ssword1!’ would be changed to ‘P@ssword2!’.
Most of us have been in situations where we’ve had to change a password because it expired or we’ve forgotten it because it was overly complex.
From personal experience, there have been several times when setting or resetting a password that I didn’t meet the requirement for special characters or number of characters. If it was a forced password reset very often I attempted to use a password I had previously used at some point in the past. In either case, my chosen password was rejected and the process started all over again. It’s a very frustrating situation to find yourself in!
In reference of the previously referenced NIST special publications, here are some summarized password do’s and don’ts:
Do’s
- Use at least 8 characters in your password.
- Allow passwords to be up to at least 64 characters
- Use memorable phrases (e.g. A phrase that means something to you, the end user)
- Set account lockout policies if possible (3 or more failed attempts locks the account)
Don’ts
- Use less than 8 characters (This can lead to the success of brute force attacks)
- Impose complexity requirements
- Have password expirations/Imposed arbitrarily changed passwords
- Use dictionary words for passwords
- Use passwords from previous security breaches
- Use repetitive or sequential characters (e.g. ‘aaaaaaaa’, ‘1234abcd’)
- Use the same passwords for business related accounts that you use for your personal accounts
- Use context-specific passwords (e.g. name of service, username or derivatives of either of those things)
After going over these password do’s and don’ts, I recommend choosing a password that’s comprised of a multiple word phrase and easy for you to remember. If complexity requirements aren’t forced but you feel like you want to make it complex then that’s your choice.
Passwords I typically utilize are a phrase that’s meaningful to me, include 8 or more characters and I almost always change one of the letters in the word to a special character or number. For examples, you could use ‘@’ in place of an ‘a’ or ‘3’ in place of an ‘e’.
