There are over 2,200 cyberattacks each day — or nearly one attack every 39 seconds. —Security Magazine
Why do we need to control passwords?
Many companies have outdated password rules that make it challenging for employees to manage. Some rules even make passwords less secure.
Several years ago, the National Institute of Standards and Technology (NIST) released its recommendations for passwords in the workplace. At the time, they seemed wise. However, many organizations and security firms have studied how passwords are used and how much they protect businesses.
Turns out, many of the “best practices” we’ve been taught are not helping and, in some cases, are making company data less secure. How? Many companies were enforcing outdated rules their IT departments taught them: random strings of numbers, letters, and capitalization would make for strong passwords.
We’ve found that random passwords are very difficult for most people to recall. So, people end up creating bad habits: like writing passwords on sticky notes and pasting them to their monitors or under their keyboards. They would reuse complex passwords on multiple sites, meaning their entire identity could be breached.
Password tricks employees think are secure, but all hackers know:
- Adding #!, a !, or a 1 to the beginning or end of your password.
- Using Klingon, Dothraki, or Tolkien words. Cybercriminals use dictionary attacks that include thousands of pop culture references.
- Substituting numbers for common letters, especially vowels. Th3y kn0w thi1s tr1ck, t00.
- Putting their address as the password — but backward. They look for that pattern, too.
NIST’s new guidelines are easier to follow, more manageable for users to recall, and more secure. Here are the new guidelines from NIST (as of 2020):
Use passphrases — not passwords.
It is much easier to remember fluffy purple battle kitten than to remember E4!@10lO. Which one is the ‘O’ and which the zero? Guess what? It would take approximately 15 octillion years to crack fluffy purple battle kitten and only a few hours to crack the random one. Even a two-word passphrase like Pink giraffe is better (12 characters). It would take 12,000 years to crack. Yellow giraffe, however, would take 65 million years to break.
Want to see how long your password would take to crack? Try this free tool at HowSecureIsMyPassword.net
Setting a password policy
What are the components of a password policy?
- Follows NIST 2020 guidelines.
- Allow users to paste in their passwords.
- Limit password attempts.
- Use Multi-Factor Authentication. Verify who you are on another device. It is a great first step to improve security.
- Blacklist of common passwords (like 1234abcd, password, or qwerty).
- Require a minimum number of characters (we recommend no fewer than 12).
- Does not require special characters but allows any of them to be used.
- Prefers passphrases over passwords.
- Does not allow the user to include personal information (Ex. No phone numbers, birthdays, addresses, etc.).
- Does not require the employees to change passwords on a regular basis.
- Passwords should only be changed under the following circumstances:
- Forgotten password
- Security breach (there or on another system or device)
- New device
- Allow passwords to be shown while typing. Hiding passwords is the greatest cause of errors.
- Provide a “strength meter” that shows password strength as the user types.
- Do not allow for Knowledge-Based Authentication (KBA) for password resets. This is when employees give answers to security hint questions. These hints can be cracked easily by scouring someone’s social media accounts. Remember when Paris Hilton’s T-Mobile account was highjacked because people knew her favorite dog was named Tinkerbell? A hacker guessed that was her KBA hint and got in.
Password fields: good vs. bad
Rolling out the policy
- Make it a company-wide event.
- Record it for anyone who can’t attend.
- Brief your internal IT department before anyone else.
- Invite your trusted vendors to a separate password meeting and tell them you highly encourage them to follow this approach.
- Have a password reset day where everyone resets on the same day This will reduce your internal or external IT department’s workload with questions (there are always a few that have them no matter how easy you make it).
Overcoming objections
Some employees may be reluctant to implement the new methods. Reassure them that this will increase security and decrease the number of password-reset calls.
Your employees will likely welcome the new approach, knowing they no longer need to change passwords every three months or remember which special character they used.
Work with your Managed IT Provider
Your Managed IT Provider can assist in every step of this process, from the development and implementation of the new policy to the rollout plan. They can even implement password manager apps that allow each employee to use one strong master password and the app generates strong passwords for each account that the user never sees.