Cyber Tip of the Week: Password Protection-You’ve Been Doing it Wrong

By Drew M. Smith

Passwords are perhaps the simplest ways to protect your device. Using a code that only you should know, you can lock down your own device to prevent unauthorized users from accessing your information. But many companies use common passwords and techniques. However, conventional wisdom on password procedure protocols may have been wrong. The commonly used techniques that, while safe, in theory may be more open to being accessed from unauthorized parties.

The National Institute of Standards and Technology (NIST) has recently proposed a new list of guidelines concerning passwords. To the surprise of many these guidelines recommend eliminating certain password features that many companies have used for years. Some examples of their recommendations include:

  • Removing “Change Your Password” requirements: The NIST has determined changing your password frequently actually hurts password integrity and puts an undue burden on an IT department. This is in line with other studies that agree that changing your passwords can be more compromising. They recommend changing a user’s passwords at their request or if there is evidence of being compromised.
  • Lessening complexity requirements: The NIST recommends that companies eliminate complexity requirements other than minimum length. The addition of other characters could lead a user to make a worse password choice.
  • Password “Hints”: Thanks to social media, password hints are now a detriment. Hackers can now use social engineering to guess the password if they are given a hint.
  • Screening against other passwords: When changing a password, the NIST recommends that a company screens that password against other common and compromised passwords. This includes repetitive characters, dictionary words and contextual terms.1

This suggested change in password policy can be jarring for a lot of people. Consult with your IT department and your officers before implementing any changes to cyber security or policy. Be wary of what you use as a password as hackers can get in even through the smallest mistakes.

 

For a copy of the new report: https://pages.nist.gov/800-63-3/sp800-63b.html#sec4


1http://blog.eplaceinc.com/cyber/2017/05/23/nist-password-best-practices/

Risk Management, Cyber Tip of the Week, Insurance Articles, Privacy/Network Security, Professional Liability