For years, we’ve been told that in order to have a strong password it must include three things:
Who was it that started this practice and came up with the arcane and near impossible way to create complex passwords?
The answer is a little known entity to most of us, the National Institute of Standards and Technology or NIST, but here is the problem;
The issue isn’t necessarily that NIST advised people to create passwords that are easy to crack, but it does have a tendency to steer people into creating lazy passwords, using capitalization, special characters, and numbers wind up becoming very predictable, like “[email protected]”
At first glance it may seem secure, but in reality, these strings of characters and numbers could easily be compromised by hackers using common algorithms and to make matters worse, NIST also recommended that people change their passwords regularly, but did not define what it actually means to “change” them. Since people thought their passwords were already secure with special characters, most only added one number or symbol.
NIST essentially forced everyone, including you and your colleagues, to use passwords that are hard for humans to remember but easy for computers to guess which is almost the exact opposite of what they were trying to achieve.
One cartoonist pointed out just how ridiculous NIST’s best practices were when he revealed that a password like “[email protected]” could be cracked in only three days while a password like “dishwasherscorrectbreakfastcellphones” would take about 550 years.
Simply put, passwords should be longer and include nonsensical phrases and English words that make it almost impossible for an automated system to make sense of.
Multi-factor Authentication - Also known as 2FA, this security technique will only grant access after you have successfully presented several pieces of evidence such as an approval with a cell phone text message or application installed on that mobile device
Single Sign-On - which allows users to securely access multiple accounts with one set of credentials which will reduce confusion with remembering multiple passwords
Password Expiration Policies: If you leverage a professional IT Support company they should be able to enable a group policy system that automatically expires user accounts on a scheduled basis reducing the chance of an ex-employee who may have access to your old password or a hacker that may have acquired your login credentials from accessing your systems when that password expires
Use an Enterprise Password Management Tool: One of your biggest threats with passwords is password reuse. We have a tendency to reuse passwords across multiple websites and services. The risk comes when you a common password or a similar password combo across different services like you internet banking and personal email accounts.. We use LastPass Enterprise to manage passwords and it will warn us if someone reuses a password, plus you don't need to remember the complex password that LastPass makes and you have access to that password's secure vault at all times. You basically will have a unique, complex password on every different site and you will just need to remember the one complex password of course protected by 2FA. Here is a link to a free trial of LastPass.. Give it a try
When it comes to security, ignorance is the biggest threat. If you’d like to learn about what else you can do to fortify security, just give us a call.