You may have heard this year that password rules have changed. It is true that NIST, the National Institute of Standards (part of the US Dept of Commerce) has revised their password guidelines as a result of user’s lazy and bad password practices. Over the past 15 years, as long as the NIST guidelines have been in effect, most users either could not come up with a complex password that they could remember (and thus wrote down passwords or stored them insecurely) or simply used common words with substitutions (M0nkey1!) that could be figured out by basic password cracker software. More often than not, users who were forced to regularly change these passwords did so in predictable ways (M0nkey2!) and worse, used the same passwords for all their accounts.
The new NIST guidelines recommend passphrases, which have also been around for more than 15 years, but are now seen as being (marginally) more secure. However, if users again turn to common names (e.g., Mickey Mouse), titles (e.g., Hunger Games), sayings (e.g., You Only Live Once), etc., their new passphrases will be as easy to crack as their old passwords. Likewise, the latest guideline to not force users to change their passwords often is an attempt to keep users from simply changing one letter or number to create a new passphrase. There is no new advice on how to keep users from using the same passphrase for all their accounts.
Whether passwords or passphrases are used, one thing that has not changed is risk. Users should assess the risk of their data being compromised, and create passwords or passphrases to adequately protect that data. Risk that their data (including bank accounts, credit cards, payroll information, investments, etc) could be hacked increases with each bad password/passphrase decision.
In general, don’t:
- Use single common words, even with substitution of letters with numbers
- Use (famous) names, titles, sayings, etc.
- Use phrases that people commonly associate with you or can be determined by looking through your files
- Reuse passwords
- Share passwords or write them down
In general, do:
- Include randomness or the appearance of randomness
- Use a password keeper
- When changing passwords, make the change significant
- Change passwords according to risk. NIST recommends that you change your password only if you suspect a breach, but that may be too late for your bank account. After all, most breaches go undetected for months!
Needless to say, if your password is found on the list… Read More Here