DATA DUMP: Stop B@d Pa$$word$

Password security policies are being updated: Copyright: maxkabakov

Remembering passwords is hard work.  For years, the working theory has been that you need a different password for every website that you visit.  And it can’t be something simple, it needs to be complex.  A complex password has typically been a minimum of 8 characters with necessary upper case, lower case, numbers and symbols to meet the requirement. Oh, and once every 90 days (or even sooner), you need to change the password. But who can remember this?

The rules for passwords are beginning to change with the National Institute of Standards and Technology (NIST) releasing an updated Cybersecurity Framework for the private sector in May. Websites are also beginning to implement two-factor authentication.  I will dive into NIST in a later article.

The new guidelines drop the need for periodic password changes, decreasing the complexity, and allowing a broader range of characters including emojis.  NIST recommends website owners implement blacklist checking for widely known passwords that have been compromised or commonly used.  The new guidelines still recommend using a minimum of 8 characters, up to 64, to create a memorable passphrase. Longer passphrases are easier to remember. An example would be:  ilovetoreadtechnews  OR ILovetoReadTechNews.

Two-factor authentication (2FA) is starting to become a requirement for some websites.  2FA is using another code, PIN, or one-time use key in addition to your normal username and password to verify you are the correct person. 2FA is not a new protocol, but only recently has become more mainstream.  An example is logging into ITunes on your computer and Apple sends a one-time use code as a text message to your phone.  In highly secure work networks, you might have been provided a key fob token that has random one-time passcodes that change every few minutes that allow you to access work email securely from home.

It is also still a good idea to continue using different passwords for different websites.  You need to particularly adhere to that rule when it comes to your online banking records and health records.  It is pretty much a given that the quantity and complexity of passwords require people to write them down on paper somewhere.

There are alternatives to having a small notebook with all your important passwords.  A better option would be to use a password manager such as Last Pass that will remember the login and will create a complex password for you.  The only password you need to remember is the main password to get into your secret, secured password vault.  The password managers can be set to automatically login to a website based on the web address.  The mobile versions of password managers will let you cut and paste the needed account info into other mobile apps.

Evolving password protocols will potentially ease the burden on technology support representatives.  Most websites have password recovery features built in, but support calls for password resets are still one of the most common technical support requests.

Technicians receiving password reset requests are also susceptible to voice phishing.  This is the practice where someone pretends to be you and gain access to your private information.  You will know if your account is just breached if you get an email indicating your password was reset but you didn’t do it.

A final note on passwords.  Never provide personal information or enter login information on a website that is not secure.  This is easily checked by looking at the web address for an HTTPS at the beginning. The added S means the website has a security certificate installed.  Your web browser will also have a locked padlock icon as well.  Websites without this security could be sending your info as clear unencrypted text.

Even with all of this, unfortunately, no network is 100% secure.  It’s like locking the doors on your house at night; it’s a deterrent to make things harder.  Safe surfing.

Share this post