It’s Getting Deep In the Password Pool: Time To Drain It

By Dean Wiech

succo / Pixabay

Hello and welcome to the password pool – a time and place where we are all swimming in passwords. I think it is safe to say that we have too many passwords and login combinations that must be remembered and managed. It’s no secret that most of us, and those who work with us, are overwhelmed by trying to remember exactly how to get into our most basic systems. You know, those systems we need to do our jobs. With so much we need to remember, what more can we do than just write down the credentials on sticky notes and place them about our workspace.

Most of us – the average workers – must remember seven or so password and login credential combinations, but it is likely that many of us need 12 or more combinations. However, given overwhelming password issues we all face, and the likelihood that passwords are far from obsolete, there must be some hacks (pardon the pun) that can be implemented to lighten the burden.

While we have long been instructed on how to create and manage passwords – change them regularly, use special characters, uppercase/lowercase, 12 characters, etc. – it appears that what we have always been taught may be wrong. Shocking, but likely true. The United States National Institute for Standards and Technology (NIST) recently released new guidelines for password policies to be used in the whole of the US government, which often are then adopted by other business sectors.

So, what are some of the major differences between current best practices and what NIST says we can safely (and should) be doing now? Well, as should always be the case, the practices should favor the user. NIST recommends that we stop asking users to do things that aren’t improving security.

Also, size matters in the password pool. NIST says passwords should be a minimum of eight characters.

NIST also says there should be a maximum length of at least 64. The user who creates a password 64 characters long either might be a glutton for punishment or is calling the helpdesk quite often for a reset. Even stranger, the NIST states passwords must allow all printable ASCII characters, including spaces, and should accept all UNICODE characters.

Finally, organizations should create a list of banned passwords, known for being bad actors. NIST recommends excluding at least 100,000, including “ChangeMe,” “this is a password,” and “Yankees,” for example.

Now, for the NIST don’ts. NIST recommends no password composition rules. In other words, no more requirements that users create particular characters or combinations; no more passwords that must contain certain letters or symbols. NIST also recommends freedom of choice and now encourages pass phrases instead of hard-to-remember passwords or illusions, such as “Trust Know 1.”

Also, no more knowledge-based authentication or expiration of passwords without reason. Passwords should only be reset if they are forgotten, if they have been phished or if the database has been stolen.

Big changes for password management policies from the organization. The NIST policies are somewhat Go to the full article.

Source:: Business 2 Community

Be Sociable, Share!