JOHN CAVANAUGH | Vice President – Office of the CTO
Over time, simple passwords proved easy to guess through social engineering. As a result, the industry moved to recommend complex passwords and frequent rotations for passwords to improve security. However, human nature dictates that most people use common passwords across multiple systems. Complex passwords are often difficult for us to remember, but studies have shown that they are surprisingly easy for hackers to guess.
To fight this issue, the U.S. National Institute of Standards and Technology (NIST) upgraded its recommendations in 2017 to use a grouping of random words in conjunction with Multi-Factor Authentication (MFA). This technique has been proven to create passwords difficult for computers to guess, which can be very secure when used with MFA.
Unfortunately, many firms (and individuals) are still using outdated guidelines that require passwords with upper- and lower-case characters, numbers, and special symbols—the very practice that led to password re-use, making such passwords easy targets for cyber-attacks.
So, what is World Password Day?
World Password Day was established in 2013, originating from an Intel Corporation initiative to raise awareness about the role passwords play in safeguarding our digital lives. Some users seldom change passwords, so it was also intended as a reminder to change them (at least annually). Now, the day is observed every year on the first Thursday of May.
Some Facts:
Please consider the following:
- 44% of individuals are concerned about protecting their login credentials.
- On average, individuals reuse passwords on 10 of their accounts.
- 7 in 10 users use MFA as part of their login procedures.
- Over 80% of confirmed breaches are related to stolen, weak, or reused passwords.
- Modern hacking tools can crack 96% of the most common passwords in under 1 second!
What should be done for computers and other personal devices?
A typical iPhone or Android device can be set up to use biometrics (such as facial recognition or fingerprints). Several applications can support MFA on mobile devices to avoid the pitfalls of SMS (where phone numbers can be cloned or stolen). These include Microsoft Authenticator, Cisco DUO, Google Authenticator, and Okta. This technology provides a significant step toward achieving better security.
As BlueAlly started its journey, we emphasized longer passwords with MFA and de-emphasized password complexity and rotation. Today, this type of technology front-ends all our application access.
The result is user access to an application is validated with biometric signatures on an enrolled device.
Now, about those longer passwords.
Before the NIST recommendations in 2017, our policy (like everyone else’s) was to randomly mix upper- and lowercase letters with special symbols and numbers. We also had specific rotation requirements.
After the recommendations, we used long passwords with MFA. This eliminated significant overhead with rotations and improved security. So, how long should they be? NIST recommends using a passphrase of at least eight characters and up to 64 characters (longer is better).
Enterprise users can combine this password recommendation with a single sign-on (SSO) system to minimize the creation of passwords of this length.
What about Personal Accounts?
SSO systems are standard across most Enterprises but do not exist for personal accounts. This is where Password Managers come into play. Password Management Systems such as 1Password and LastPass simplify the process of maintaining unique passwords across various applications and websites.
Our Recommendations for Users
So, given this background, we recommend:
- Create a unique “passphrase.” Use a minimum of 12 characters.
- Update passwords annually.
- Use a professional password management system.
- Implement MFA.
At BlueAlly, we use a professional password manager, SSO, and MFA. We recommend that our employees use the password management system to protect their personal accounts, and our subscription supports the use of the system for employees and their families.
Conclusion
BlueAlly consultants have a long history of working with clients in regulated industries such as utilities, healthcare, and the financial sector. We can work with your teams to identify and mitigate your firm’s risks cost-effectively and comprehensively.
To learn more, contact us about the assessments we can perform to address any concerns, improve your Identity Management systems, and enhance your overall security.