Passwords are a pain in the butt. I don’t know anybody that likes setting one, let alone remembering what it is. A password’s ultimate goal is to protect something you hold valuable. The more hoops you’ve got to jump through to keep that something safe, the more obnoxious it is.
The new rules from the National Institute of Standards and Technology (NIST) aim to clear that up. The new rules establish a set of best practices that we here at Security7 Networks can totally get behind. We’re not going to get into the entire document (you can find it here) but we’ve listed a few quick takeaways below:
NIST recommends using 8 characters minimum (and 64 maximum) when creating a password. Obviously, we don’t recommend you use all 64 characters (you’ll never remember them), but we do recommend using something above the minimum. 10 or 12 characters should do the trick.
Passwords can include any and all printing characters (ASCII) or Unicode characters so there are plenty of combinations available for you to choose from but that leads us to our next point…
Even if you follow the 8 character minimum, the number combinations you can come up with are almost unlimited. Using both cases (upper and lower), numbers and special characters provides over 6 quadrillion potential combinations.
Despite all those possibilities, there are people out there who still use passwords like “123456” or the incredibly original “Password.” If you’re reading this and saying to yourself “Darn, they’ve guessed my password” we apologize and maybe you should think about changing things up before we log into your Instagram and delete all those cat memes you’ve been sharing.
The best way to avoid password ubiquity check your password against a list of commonly used poor choices like the ones in this list (http://www.huffingtonpost.com/entry/2016-most-common-passwords_us_587f9663e4b0c147f0bc299d)
Things to look out for when creating a new password include:
Passwords obtained from previous breach corpuses.
Repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’).
Context specific words, such as the name of the service, the username, and derivatives thereof.
Now that you’ve avoided using too few characters and gotten away from commonly used passwords lets move on to why you shouldn’t use password hints or knowledge based authentication…
Don’t Use Password Hints or Knowledge Based Authentication
When you set up a password you’re usually prompted to set up a Q&A that, when entered correctly will reveal your password or allow you to reset it.
They’re mostly pre-generated and fairly commonplace: What was the name of your childhood best friend? What was the make and model of your first car? What street did you grow up on? What’s your inseam? Okay, maybe not the ‘what’s your inseam one.’
The problem with these is they’re fairly easy to guess and people are willing to surrender the information willingly with out even thinking about it. If you’re on Facebook you’ve more than likely encountered people sharing a status that asks questions in the same vein. It’s called “Status Phishing” and the people behind it are rooting around for personal information.
The NIST recommends using open ended questions INSTEAD of password hints and knowledge based authentication (KBA). An open ended question can be anything ranging from one word to a complete paragraph but it’s definitely more personal and customizable than a simple password hint or KBA.
Passwords Don’t Have to Expire or be Changed Periodically
Here’s the big shocker. Those passwords you’ve been using? As long as they haven’t been compromised don’t have to be changed. If you’ve ever logged into a computer and been prompted to enter a new password because you’re existing one has expired you know what we’re talking about.
The NIST is very, very clear on this:
“Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically) and SHOULD only require a change if the subscriber requests a change or there is evidence of compromise of the authenticator.”
The excuse is a password becomes less secure the longer it’s in use and to be honest, there’s no information backing that up. If you’re responsible with your password and you’ve followed the steps above you should be, in theory, protected.
We’re not saying the NIST rules are the end all be all for authentication security but they should definitely point you in the right direction if you’re trying to stay secure while simplifying your security policy and procedures. It’s worth the read.