Passwords are the worst. You typically have to create a password that has a billion random characters chock full of upper and lowercase, numbers and symbols. Sometimes the service you are creating a password for doesn’t let you use specific characters, or you can’t have a password longer than 20 or shorter than 8. And let’s not forget the fact that to truly be secure, you need to have a different password for every service, app, and website you log into.
What if I were to tell you that the person who created those requirements 14 years ago has recently said that the advice was based upon insufficient research and should be ignored! I think I heard about a thousand people jump up from their desks and shout for joy. This doesn’t give you free reign to go back to using “password” as your password, but the new recommendations are a bit easier to swallow.
NIST, the National Institute of Standards and Technology, released new guidelines last year that claim length is the most important part of the password equation. So, a password that is “mypasswordissuperstrongnowbecauseifollowNIST” is better than “P@ssw0rd.” The organization found that in order for users to remember their passwords they were typically replacing the same letters (like the @ for A in the word password), which was making them just as easy to guess as the word password.
With these new passphrases you can come up with a sentence that makes perfect sense to you, and more importantly, is incredibly easy to type. For security, it is still recommended to use a different password for each service you log into. The main reason for this is that if someone is able to get one of your passwords, through hacking or phishing, they will suddenly have access to all of your accounts that use the same username and password combination.
Password managers like LastPass are still highly recommended, as they make keeping track of all of your different passwords very easy to accomplish. Instead of having to remember a plethora of passwords, you only need to remember one big one. It would be a good idea to add 2FA (2-factor authentication) to most of your accounts as well to help prevent unwanted access.
If you do have shorter, completely randomly generated passwords, there is no need to go through and change all of your passwords to meet the new recommendations. However, if you are still using the same old “P@ssw0rd” you were given when you started working at your company, it might be time for a change. In fact, you are probably overdue for one.
Whatever you set your new password to, please don’t write it on a post-it note and put it on your monitor, under your keyboard, or somewhere else that anyone could easily access. We can’t tell you how many times we see this at businesses. There are companies out there paying cleaning staff to gather usernames and passwords. With a username and password, an attacker doesn’t need to hack their way into your business network, you just left the door to your business wide open in the middle of the night.
BRITECITY offers local businesses support in areas like Cyber Security, Cloud Services, Strategic IT, and Managed IT Services in Orange County.