It’s Getting Deep In the Password Pool: Time To Drain It| By |Dean Wiech

succo / Pixabay

Hello and welcome to the password pool – a time and place where we are all swimming in passwords. I think it is safe to say that we have too many passwords and login combinations that must be remembered and managed. It’s no secret that most of us, and those who work with us, are overwhelmed by trying to remember exactly how to get into our most basic systems. You know, those systems we need to do our jobs. With so much we need to remember, what more can we do than just write down the credentials on sticky notes and place them about our workspace.

Most of us – the average workers – must remember seven or so password and login credential combinations, but it is likely that many of us need 12 or more combinations. However, given overwhelming password issues we all face, and the likelihood that passwords are far from obsolete, there must be some hacks (pardon the pun) that can be implemented to lighten the burden.

While we have long been instructed on how to create and manage passwords – change them regularly, use special characters, uppercase/lowercase, 12 characters, etc. – it appears that what we have always been taught may be wrong. Shocking, but likely true. The United States National Institute for Standards and Technology (NIST) recently released new guidelines for password policies to be used in the whole of the US government, which often are then adopted by other business sectors.

So, what are some of the major differences between current best practices and what NIST says we can safely (and should) be doing now? Well, as should always be the case, the practices should favor the user. NIST recommends that we stop asking users to do things that aren’t improving security.

Also, size matters in the password pool. NIST says passwords should be a minimum of eight characters.

NIST also says there should be a maximum length of at least 64. The user who creates a password 64 characters long either might be a glutton for punishment or is calling the helpdesk quite often for a reset. Even stranger, the NIST states passwords must allow all printable ASCII characters, including spaces, and should accept all UNICODE characters.

Finally, organizations should create a list of banned passwords, known for being bad actors. NIST recommends excluding at least 100,000, including “ChangeMe,” “this is a password,” and “Yankees,” for example.

Now, for the NIST don’ts. NIST recommends no password composition rules. In other words, no more requirements that users create particular characters or combinations; no more passwords that must contain certain letters or symbols. NIST also recommends freedom of choice and now encourages pass phrases instead of hard-to-remember passwords or illusions, such as “Trust Know 1.”

Also, no more knowledge-based authentication or expiration of passwords without reason. Passwords should only be reset if they are forgotten, if they have been phished or if the database has been stolen.

Big changes for password management policies from the organization. The NIST policies are somewhat of a surprising turn for the industry, and leaves us a good bit to meditate on. But, there’s nothing here that hasn’t already been discussed before. In fact, I’ve spoken to these subjects multiple times.

Let us start with some surprisingly easy steps that you can take to better protect yourself from a password breach. First, don’t use default passwords that come with devices, like routers. Always change the default username and password on anything you buy. Easy enough advice, but, amazingly, many people do not bother to come up with their own passwords and they simply let it ride. In addition, as I have said before, and as NIST recommends, you need to avoid words found in the dictionary and anything associated with you as an individual like maiden names, birth dates, children’s names, etc. Passwords should not be written down, of course. No Post-it notes with passwords written on them for the world to see.

Solutions including two-factor authentication can protect user accounts, securing the primary login using a pass card or biometrics. Users log in by presenting a pass card/biometric offering to an electronic reader and entering a PIN code rather than the standard username and password. Combining a pass card/biometrics and a PIN code ensures a much stronger authentication, minimizing the possibility of a network breach.

Another way to simplify the process is single sign-on integrated with two-factor authentication, proximity-based devices and RFID readers. One login credential means employees must only remember one login. The fewer passwords that need to be remembered the more secure an organization.

With the NIST recommendations and the points I’ve suggested here, you may be able to achieve the desired effect – better use of passwords that actually help protect your information and your organization. Maybe, too, in so doing we might be able to drain a few passwords from the pool.

via Technology & Innovation Articles on Business 2 Community


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s