After much research, the National Institute of Standards and Technology (NIST) has determined that we have been doing passwords all wrong!
Traditionally, best practice for password use has been a minimum of 6 characters composed of a combination of letters, numbers and symbols, which had to be rotated periodically. To make things more complex, companies typically added rules about how frequently a password could be reused – or prohibited reuse completely.
What NIST’s research showed is that all the rules simply pushed more people into predictable password patterns. Patterns like Jan18!, Feb18!, Mar18!, which satisfies the no reuse rule, the minimum length rule and the content rule. However, it is completely deducible with only a small amount of social engineering or programming.
So, based on this behavior, what did NIST recommend?
- Minimum length of 8 characters
- Maximum length of 64 characters
- Mandatory change based on enforced minimum length
- Check against dictionary of known bad passwords
- No composition rules
- No recovery hints
Now that we know what is to be done on the server or application side, how does the end user make use of the new best practices?
The best solution is to use a password vault with generation capabilities, which gets you down to a single password for access to the vault. Password vaults are programs that securely store large numbers of passwords protected by a password. For Windows, some of the popular ones are LastPass, Dashlane, KeePassX and Sticky Password. For MacOS, some of the popular ones are 1Password, KeePass, LastPass, and SplashID Safe.
If you are new to password vaults, then your next step is to visit all the websites you use and use the password vault to generate a new password for each one.
Alternatively, picking phrases that strike a chord with you from songs, movies, plays or books make good passwords, but make sure they are as long as you can remember – 20, 30…64 characters, with a minimum of 16 characters.
Once you have password habits that are cyber secure, it is time to secure your whole environment so you can become cyber confident.
If you have concerns about your cyber security and would like to improve your cyber confidence and compliance, please contact us at: info@thirdrock.com