A Fundamental Shift in Passwords

By CMD Technology Group

6 min read

Whether you are the consummate computer professional or completely computer illiterate, managing passwords can be a major task. While the typical user will be required to remember their personal passwords, the computer professional will most likely need to manage passwords to accounts that are not their own (i.e., service accounts, admin accounts, etc…). Let’s face it; we all find passwords annoying. In this day and age, we have passwords or pins for just about everything and managing them all can be a nightmare. Some of the tasks involved in managing passwords include:

  • Creating a secure password that meets different requirements like at least one capital letter, one lower case letter, one number, and/or one extended symbol.
  • Creating security questions for either password reset or second-factor identification.
  • Remembering multiple passwords.
  • Changing passwords. Involves creating new passwords that meet the requirements and then remembering them.

Why Do We Have to Have Passwords?

Passwords are the cheapest form of protection for our information. To implement protection schemes that require pass-cards or biometrics (fingerprints) the cost to implement goes up drastically. Who do you think your bank will pass the cost onto?

Thanks to known hacks and other factors, we are required to change our passwords over and over. Traditionally, these were the recommendations for the proper and improper methods to create our passwords:

Do some or all of the following:

  • Include at least one capital letter.

  • Include at least one lower case letter.

  • Include at least one number.

  • Include at least one extended character.

  • Sometimes, the system does not recognize extended characters or numbers. For those instances, use more of the other suggestions.

  • Do not use words. Words can be cracked using a dictionary crack. This goes for foreign language words as well. If there is a dictionary crack for one language, then why not include others? Also, they have already thought of spelling the words backwards.

  • Do not use patterns or repeating characters. 123456, ABCDEF, 112233, etc… All of them are terrible ideas.

  • Do not be lazy. Password1, qwerty, letmein are not good passwords. In fact, they are considered some of the most common ones used. These are the passwords comedians make jokes about.

  • Do not use personal information. Names and the things in life that are important to you can be observed and guessed. Thanks to social media, we give away a lot of this information freely.

  • Use longer passwords. The longer the password, the harder it is to crack. Each digit you add to a password makes it exponentially more challenging to crack.

  • To make a complex password easier to remember, use a passphrase. For instance, the password ‘d0N7$tnDuP’ is actually the phrase “Don’t Stand Up.” This is a 10-character password that makes no sense on its own but is easier to remember because of the phrase. No, this is not one of my passwords.

  • Use a password or phrase that has meaning to you and no one else. One that is not easily recognizable in your daily life. Don’t copy someone else’s. It may not make sense to you, and someone else knows it as well. Be as original as you can.

After Creating Passwords…Next Steps

  • Do not use the same password for everything.

  • Change your passwords after a set period of time. Annoying, but more secure. If there was a breach, you might be required to change it more frequently.

  • Be wary of how you store passwords. Some applications help store passwords. However, keep their functionality in mind. If it is only on your phone, what happens if you lose your phone? Is the application itself properly encrypted?

  • Do not keep your password storage location easily accessible to others? To this day, people can find passwords on post-its and hidden under keyboards. Yes, I have found peoples passwords under their keyboard. In fact, I have been to locations where people post their passwords on sticky notes on their monitors for everyone to see.

NIST

The National Institute of Standards and Technology (NIST) has come up with some new guidelines for creating passwords after years of observing how well the recommendations above have served us. Who is NIST? NIST is a non-regulatory federal agency whose mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life. More information on NIST can be found here: https://www.nist.gov/. Why should we listen to NIST? Because NIST developed the standards that all US federal agencies must follow: FIPS (Federal Information Processing Standards).

NIST’s new guidelines for passwords are published here: https://pages.nist.gov/800-63-3/ sp800-63b.html. The document uses legal syntax and can be difficult to read. For instance, the document uses the term Memorized Secret Verifiers to refer to passwords. Below are the current password policy recommendations. These are translated from the legalese where needed. Note that NIST refers to a person using a password as a subscriber.

  • Password length should be between 8 and 64 characters long. The minimum of 8 characters is there, but longer passwords (or passphrases) are preferred.

  • All ASCII characters including space should be legal. Basically, if it is a character on your QWERTY keyboard, then it should be usable.

  • All Unicode characters should be legal. See https://unicode-table.com/en/#controlcharacter for a table of these characters. Each Unicode counts as a single character for length purposes. There are process recommendations for the acceptance of Unicode characters within NIST’s document.

  • Passwords or pins provided (not created by) the subscriber shall be at least six characters and randomly generated. For those times the organization provides the password or pin instead of letting the subscriber chose their own.

  • Password hints should not be accessible to someone who is unauthenticated. Just because you provide an e-mail address or some other easily obtainable piece of information, does not mean you should get access to password reminder questions or reset options.

  • Password strength meters should be provided as a password is being created.Limits to password failure attempts should be implemented.

Password Managers

Proper password managers have the following traits:

  • Passwords should be stored in a form that is resistant to offline attacks.

  • Passwords need to be encrypted. The document refers to this as being “hashed using a suitable one-way key derivation function.”

  • The password manager can provide very strong passwords that the subscriber does not need to memorize.

  • Subscribers should be allowed to “paste” their password into the field. This is to facilitate the use of password managers. When a password manager is involved, the passwords tend to be stronger because memorization is taken out of the equation.

  • The ability to display the password should be offered. The password mask of dots and asterisks should still be in place, but a button to unhide the password being entered should be offered. This allows for the proper entry of longer and stronger passwords.

The Big Changes You Need to Know

The purpose of allowing all Unicode and ASCII characters is not to promote password complexity. It is to allow the subscriber to choose the password they are comfortable with. The need for complex passwords mixing numbers, letters, case, and extended characters is no longer recommended. Studies done by NIST and other organizations show that complex password policies actually result in weaker passwords with many support issues.

Frequent password changes are not recommended. For those of you tired of changing your password every 45 days, this should make you happy. Those same studies mentioned above show that frequent password changes are detrimental to the creation of strong passwords. The more you have to change a password, the more human nature is going to kick in to make it easier to remember password.

Password screening requirements are now recommended. When allowing subscribers to change passwords, compare the new password against a list that contains values known to be commonly-used, expected, or compromised. For example:

  • Passwords obtained previously.

  • Dictionary words.

  • Repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’).

  • Context-specific words, such as the name of the service, the username, and derivatives thereof.

  • When one of these conditions is triggered, the subscriber should be notified to choose a different password.

If you have a question about any of our solutions or any feedback you’d like to share, contact us. We would love to hear from you!

CONTACT US

Get in touch

You can email us at afernandez@cmdtg.com

Give us a call at 1-800-806-4173

Or contact us using the form below