Most IT users are familiar with the typical widespread password protocol, but in a new age of technologically advanced and aggressive hackers, it has become necessary to reevaluate what will make your company’s network the most secure. The advice summarized in this post comes from the government organization that first proposed the former password guidelines, so your small business should pay careful attention to these new recommendations.
Typical Password Protocol Since 2003
In 2003, Bill Burr of the National Institute of Standards and Technology (NIST) wrote an 8-page publication that gave recommendations for creating safe passwords. This advice emphasized the use of a mixed password that should include random combinations of different case letters, special characters, and numbers. The report also recommended changing passwords every 90 days to make things even more difficult for hackers.
These recommendations made sense at the time, as most experts believed that cyber-criminals were becoming too adept at determining the usual passwords of family and pet names and birthdays. As a result of this seminal report, federal agencies, universities, private and public institutions, and a range of businesses of all sizes, adopted some version of this password protocol, which is still in widespread use today.
Weaknesses of the Typical Password Protocol
This typical password protocol has had varying degrees of success against hackers over the last 15 years, but it has also been a constant source of frustration for IT users. Trying to remember strange combinations and cases of letters, special characters, and numbers has definitely put a strain on users’ memories, especially because of the sheer number of passwords most people have for their various devices, programs, and online accounts. Experts refer to this heavy mental imposition on users as a “memory burden.” The further recommendation to change passwords every 90 days has added even more effort and inconvenience for IT users.
Unfortunately, the constant advance of computing technology has assisted cybercriminals in their unending effort to breach networks and devices. With the increasing power of programs using algorithms designed to enter in countless random combinations of letters, numbers, and special characters, skilled hackers are now able to crack a random password within three days.
Cybercriminals’ efforts have also been made easier by the widespread use of “Hints” for people to remind them of their passwords as well as Knowledge-based Authentication (KBA) measures, e.g., “What is the name of your first school?”
In addition, the recommendation for users to change their passwords every 90 days has actually helped hackers crack passwords. The reason for this is that when IT users are forced to change their passwords so often, they naturally tend to only change them slightly—often just by one letter or digit. Because of these frequent changes, hackers have had an easier time using their algorithms to determine predictable password patterns.
Current Password Recommendation: Think Passphrase not Password
None other than Bill Burr (now retired) himself lamented in a recent interview with the Wall Street Journal, “Much of what I did I now regret.” The current recommendations from his successors at NIST are strikingly simple but effective: Come up with an easy-to-remember and easy-to-type phrase combination of four random words and put them together without any spaces. In essence, it’s time to start using “passphrases” as opposed to passwords. They recommend keeping the passphrases simple, fairly long, and memorable. The current lead for these new guidelines at NIST, Paul Grassi, summed up what IT users should strive for in their new passphrases saying, “If you can picture it in your head, and no one else could, that’s a good password.” Experts explain that while the cybercriminals’ powerful programs can crack the typical alphanumeric password within three days, a random four-word combination would take them about 550 years to determine.
Another recommendation from NIST that will please IT users is that there is no reason to update these strong passphrases after 90 days or for the near future. The strength of the password phrase ensures it will be durable as well. The only exception to this no-change rule is in the event that there is a data breach in some part of the network.
For mobile users, cybersecurity experts recommend that SMS (texting) should no longer be used in two-factor authentication (2FA). Texting has become more dangerous because there is now advanced malware that can redirect text messages, and hacks against entire mobile networks are occurring frequently. In addition, cybercriminals can too easily convince phone companies to transfer your mobile phone number to a new SIM card.
In summary, these new recommendations ease the memory burden and improve the overall experience for IT users while also being more effective at thwarting cybercriminals.
Before undertaking any significant changes to your network security, we always recommend consulting with a trusted IT Support partner, such as Network Depot. Your IT partner is a valuable resource that can expertly advise your company on effective password protocol as well as on your overall cybersecurity needs.