An upper case letter, a lower case letter, a number and a special character but how many characters for this particular password?
Back in 2003 a man called Bill Burr wrote the security bible on password security while working for the US Government. 14 years on and many irate worker password changes later, the now retired Mr Burr has changed his opinion on password complexity.
The original idea was that this style of complexity would provide difficult to guess and, as humans, we have found that to be absolutely correct. The problem is we are left guessing what our very own password is after having to conform to something that is not natural to us. This is especially true when we have to change it periodically and keep it unique across the ever-growing amount of accounts we now have.
Of course we want to keep our accounts and data secure, though I don’t think the protection layer of our very selves not being able to access our information is what password complexity was pitching at.
With all of the accounts we have in the modern world it is difficult to remember all of our passwords, especially as we are advised not to write it down (post it notes on your monitor anyone?), re-use the same password or even remember which crazy concoction of requirements any particular given password requires, and to keep you on your toes, the requirements are not all the same.
So what do we currently do to fight the demand for a password change? Usually stick an extra number on the end or increment the one that is already tagged on to our favourite P@ssw0rd7 or sport like F00tba!!123
By increasing the complexity to humans we are decreasing the security element that we are indeed supposed to be creating. So what do we do? The passwords that we use are not centrally managed by the company IT team, service provider or compliance body therefore we are subject to varying policies. Consider all of your work passwords as well as all of your service providers you have for personal use such as utilities, emails and shopping sites then no wonder the word password brings a mental if not an audible groan.
Within the corporate space IT departments have more control in what password policies are in place so there is some light at the end of the tunnel.
So what is the word on the street from the big guys now? Well, it’s more words than word. The guidelines from America’s National Institute for Science and Technology have now been updated to advise that we use long but easy to remember passphrases. Advice that is more human friendly, that’s for sure.
A passphrase is a sequence of words that do not require the special treatment our old passwords required, not to say you can’t include them if that’s your style (or should that be $Ty13).
While many different types of password harvesting/cracking techniques can be used, check out our what is social engineering blog post here and our email scams and how to keep safe blog post here, at the time of this post it is said that a password of P@55w0rd will take 24 days to crack by brute force while a password of JumpingUnicornsPen will take over 87 trillion years, according to random-ize.com.
As the industry evolves you will have a mix of password complexity requirements as well as all those unique passphrase combinations, which means pinning down which site uses your all new mythical creature based (and what stationary they use) passphrases will be difficult.
So what can you do? Well, one option is to develop total memory recall, another option is to develop your own mental passphrase generator or you could simply use a password manager.
Whatever your chosen way forward, it is important to take passwords seriously. Using default passwords are not a good idea, nor is using the very simple passwords like “password”, “123456” and “letmein”
Afterall, you lock your house, your car, your gym locker and tie your shoe laces so keep your account and your data secure too.
Multi Factor Authentication is now very popular and adds an additional layer of access to your accounts. MFA essentially takes something you know – your password – and combines it with something you have like a token. Check out our write up on MFA here to learn more.
For further information on data security and ways to keep yourself protected online, search our Media Central posts or contact the office for a chat