Passwords are frustrating. Many times the requirements placed on them make their creation — and more importantly remembering them — difficult. The most frustrating situation is when your password is not being accepted, then resetting your password and then having your new password rejected because it matches what you originally typed.
If you are accessing a managed system, in many instances, passwords must be changed approximately every 90 days, be a certain length and contain certain special characters. The reasoning behind this is to prevent users from using generic passwords such as "Password," as a way of securing their account.
The Company indeed has requirements in place that you must follow when creating a password. However, even with these policies, everyone can improve their awareness and hopefully limit risk to the Company. In addition, if you regularly access personal email or online banking or log in to any online system, these guidelines may help to protect your personal accounts and information from unwanted access.
The National Institute of Standards and Technology (NIST) is a non–regulatory agency of the U.S. Department of Commerce. Their mission is, "…to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life."
The NIST regularly releases publications on many important topics. The publication, "Digital Identity Guidelines," lays out best practices for password creation.
Surprisingly, some of the NIST suggestions go against what we have been taught about strong, secure passwords. It recommends new password guidelines that will impact website password framework and you. They suggest the following practices be put in place:
- Eight (8) character minimum (when it is set by a human, instead of a system generated password)
- Support at least 64 characters maximum length
- All ASCII (pronounced ask–ee) characters (including a space) should be supported (ASCII codes represent 128 English characters as numbers, with a letter assigned as a number. For example, the ASCII code for an uppercase M is 77.)
- Truncation of the secret (password) shall not be performed when processed
- Check chosen password with known password dictionaries
- Allow at least 10 password attempts before lockout
- No complexity requirements
- No password expiration period
- No password hints
- No knowledge–based authentication (e.g., What is the name of your first pet?)
- No SMS for a one–time password
In the past, it had been taught to complicate shorter passwords with special characters and changes to case letters. For instance, if your password is "Password," you would have changed it to "P@55w0rd," and supposedly achieved a higher degree of security.
Per the new guidelines, however, the NIST found length is more important than complexity. Setting a longer password means more time for a computer to cycle through potential passwords and find one that works.
According to howsecureismypassword.net, "P@55w0rd," would take a computer approximately nine hours to crack. The password "National Escrow Administration," solely based on length, would take approximately 27 undecillion years (yes, that is a long, long time). Many systems have limits in place on the number of password tries. Not all of these best practices, however, are a complete fail safe from this type of password attack.
Length of a password is not the only factor to consider when setting a password. In the above example, common words were used as passwords. It is likely that common words or phrases would not be any faster to crack than suggested, since cybercriminals use password dictionaries in attempting to crack passwords.
Password dictionaries are lists of passwords that are built on previously used passwords (released through prior cyber–attacks) and commonly used words or phrases. The length and size of these lists are staggering. If you are still using a password that was exposed in a cyber–attack — even if it is for a different login — there is a good chance it appears in a password dictionary.
Another important best practice to satisfy password requirements is avoid simple, common changes. For instance, if you chose "Password," but you still need to include a number, you change it to "Password1." You still need a special character, so now it becomes "Password1?." It is not a very unique or secure password. NIST recognizes this within their best practice of, "No complexity requirements."
NIST also acknowledges the limited ability of humans to remember complex passwords and how the requirements, while met, often do not add security — as the example above illustrates. When you are simply meeting the requirements of a password, make sure to follow the spirit of the requirement and not just the requirement itself. If you use common words or phrases and merely add "1?," your password would probably make the dictionary list or would be much easier to guess.
Many user portals also provide a secondary way to gain access through security questions. Many of these involve basic knowledge and history, which goes against the NIST "No knowledge–based authentication" best practice. For instance, following your social media feed may reveal, "What is your favorite color?" Instead, be cautious when answering those questions.
Do not use common knowledge answers, as an IT professional did when working at a large credit card data processing facility. Cybercriminals created a dossier on the victim by following him on social media, and learning his favorite food, color and other pertinent information. Then, they called the victim's company and reset the password by answering the security questions with the information they had collected. Criminals gained access to the victim's account and reams of credit card data.
For increased security, use longer passwords and avoid common phrases, words or substitutions. If you have trouble remembering passwords, start with a sentence you can remember and then make uncommon changes.
Alternately, sign up for a password storage program that maintains and creates strong passwords for you. Avoid using duplicate passwords. If you are aware of your account being breached, change your password, and never use that one again. After all, no one likes getting spam from your compromised email account.
Note: Not all hackers are out to do harm and many look to help companies, for a fee. Learn the different types of hackers and the color of hats they wear in next month's cyber buzz article "NOT all hackers wear the same hat."
Article provided by contributing author:
Scott Cummins, Advisory Director
Fidelity National Title Group
National Escrow Administration