You probably haven’t heard of National Institute of Standards and Technology (NIST) Special Publication 800-63, Appendix A. But you use its contents from your first online account and password until now. That’s because, in it, you’ll find the first password rules as it requires a combination of a lowercase and lowercase letter, a number, and a special character – and the recommendation of changing your password every 90 days. .
There is only one problem. Bill Burr, who originally set up these policies, thinks he blew it. “Most of what I did I regret,“Burr said to Ang Wall Street Journal a few years ago.
Why? Because most people won’t bother to make significant changes when it’s time to update the password. For example, instead of “Abcdef1?” we changed it to “Abcdef1!” then “Abcdef.” and so on and so forth.
Because we hate these policies, we end up using them completely lame passwords such as “123456” and “password” instead. Any ordinary cracking program will take less than a second to break any of them. You can also not use a password.
And, if you do it “right,” you end up with passwords that are too hard to remember. I remember semi-arbitrary strings like xkcd936! EMC2; not capable of most people.
Instead, both NIST and cartoonist Randall Munroe have a better idea: Use passphrases instead of passwords. A passphrase, such as “ILoveUNCbasketballin2021!” is both easy to remember, and even if it contains real words, it’s pretty hard to crack.
However, because every service in the world today requires a password, we often use the same passwords over and over again. Easy to remember? Yes Is it easy to break when the passwords of any site are cracked? Even more. Ang Breach of 2019 collections data revealed more than 2.19-billion email addresses and associated passwords. With a new security breach happening almost weekly, it’s not “if” your passwords are disclosed, when it is.
“Not you?” Ha! Do yourself a favor and check your email ID using the HaveIbeenPwned service and get ready to drop your jaw. I must be a security expert and my primary email account has passwords disclosed at 27 – they count 27 – data violations.
So, while using passphrases instead of passwords is nice, it’s not enough. I have two other recommendations for you and your employees.
First: choose a corporate standard password manager and ask all your employees to use it. This gives you two advantages. Most can automatically generate long arbitrary strings, and secondly, your people don’t have to remember anything but a master password; the program monitors everything else.
Which password manager? It’s good that I’m using it Google Chrome’s built-in password manager for everything running through a web browser. But I know not everyone trusts Google.
In contrast to the super-easy-to-use-virtually-invisible manager baked into Chrome, there’s open source KeePass. By doing this, you store passwords on local machines (which have their own problems for corporate security) or on a cloud service. KeePass requires good expert administration, but if you’re already using Linux as the foundation for your IT department, your staff is likely to be challenged.
Finally, I like it too LastPass. This is probably the most popular password manager. That was a mixed blessing. It has so many users because it’s simple and keeps everything in its own cloud service. That’s the good news. The bad news is that it is so popular it can often be targeted by hackers.
Fraudsters only broke into LastPass once, in 2015. Although, hackers didn’t make it customers ’passwords. Since, LastPass has improved internal security.
Can LastPass crack – or any of the others? Of course. Security is not a product, it is an eternal struggle. But any password manager used correctly will take a long time to secure your systems.
Finally, passwords alone are not enough. You really need to adopt two-factor authentication (2FA) to protect your company. In 2FA, you are required to have two of three types of credentials to access an account. This is:
- Something you know or can give; this is commonly known as a one -time PIN.
- Something you have, such as a secure ID card or a security key.
- You are something, which includes biometric factors such as a fingerprint, retinal scan, or a voice print.
There are three main ways to do this. First, you can use a 2FA program that generates a PIN, which is then sent to you via a text message. While that’s easy to use, if someone really wants to join your accounts, chances are they can. NIST today You recommend that you do not use text -based 2FA.
Next is to use a 2FA program to generate PINs. Usually, 2FA authenticator apps are both useful and secure, and you can run them on your smartphone without the risks of SMS. Popular options included Authy, Google Authenticator, LastPass Authenticator, at Microsoft Authenticator.
Finally, if you really want to lock your person’s accounts and computers, use 2FA hardware. You can buy these devices for between $ 20 and $ 60. Some of the best are Google Titan Key, Kensington VeriMark Fingerprint Key, Thetis Fido UCF Security key, Yubikey 5 NFC, at YubiKey 5C. Just plug them into the computer, and your employees are ready to go.
Is this more of a problem than writing passwords on a sticky note on your PC? Yes, it really is. But it’s also more secure – and between password managers and 2FA applications or devices, it’s not hard to do.
I wanted my company’s data to stay safe in my hands and not at Joe Hacker’s feet.
Next read it:
Copyright © 2021 IDG Communication, Inc.