Passwords – Can't live without them! 2020 Edition
Clifford Clarke, PMP, CISM, CEGIT, CRISC
I wrote the article below in 2009. It is a good time to review and change our password as we welcome a new year. The article is basically the same with a few updates. Interestingly, the National Institute of Standards and Technology (NIST) began recommending passphrases. For an academic reading of identity management review the NIST Special Publication 800-63B: Digital Identity Guidelines: Authentication and Lifecycle Management (June 2017).
It seems that we need a new password every day. Whether it is a new application at work or simply the price we pay to work and play on the worldwide web everyone wants you to create a password. How are we going to remember all this information?
As a Certified Information Security Manager, IT advisor, and former CIO I hear the complaints all too often. "We have too many passwords!" "I can not remember another password!" "The password changes too often!" "The password is too complex!" The problem is that password pressure leads to undesired behavior by the users. Information Technology security professionals know that you have written down that password somewhere. Worse yet it is probably easy to find, like on your desk calendar or that sticky note on the side of your monitor. This simply defeats the purpose of a password.
You already know that passwords are important, so I will not bore you with why they are. Below are some tips to help you manage your password portfolio.
The more complex your password the better, but how do you develop and remember a complex password? Use a passphrase or saying. Just modify it so it is not obvious. Say you feel using names will help you remember a password. Then use components of name information to help. As an example, you have a child, Jonathan, born April 10, 1999, which becomes JonAp10((. Notice this password has the major components of good passwords, which are:
- Length – it has over 8 characters - The new recommendation is for password length is 15 characters or more.
- Combinations – it contains special characters, numbers, caps, and lower case letters
- Illegitimate – it is not a real word
Note the “((“ represents the year Jonathan was born 1999 with the shift key depressed. This is of special importance for applications that force a periodic change of the password. This can be done with any memorable phrase. "One Thousand and One Arabian Nights" becomes !00!AraNig.
So many sites want a user ID and password to access their information. Try developing a password based on the site you visit. Say you shop one of those online stores – www.DealsBest.com. You could develop a password around the site name and some other information like your middle name and an important date. The password becomes Dar@Dea69 where the schema is the first three letters of the name Darren, the “at” sign as a reminder it is a web store, the first three characters of the web address, and the year you were born. You get the picture. Any schema is fine as long as it works for you. This is especially helpful for those sites that are rarely visited.
Let’s face it some of us feel better if the important information is captured somewhere else, instead of our brain. The tip here is to be smart about where you place your password.
|Place||Bad, Better, Best||Why?|
|Word file on a network drive at work||Bad||
|Word file on a home computer||Bad||1, 3, and 5 above.
Generally not backed up.
|PDA||Better||1 and 3 above.
So portable - the risk of loss increases
Best – if you must, consider creating a password-protected file on a PDA or flash drive that you keep with you at all times, that is backed up on a separate device, stored in a locked location, like a fireproof safe. Obviously this step is for seriously important information. Mitigating the risks above is the real take away. All the above rules for password development discussed above apply.
Since information has varying levels of importance you could take a multi-tier approach to passwords. Security professionals may not agree, but if the site is of low importance, does not hold personal private identification information, and registration can easily be re-created then you could use common passwords for all those research and give away sites, thereby reducing the number of passwords you have to remember. You must keep a different password for each of your financial transaction sites like banking, shopping, and investments.
Deception is a key element in the field of security. You may recall the hacking of Governor Palin’s mail account. The hacker used available and accurate information to reset the password to her account to his advantage. Here is an opportunity to bend the rules. If information is not attained to be cross-referenced then you should be at liberty to embellish a bit. Say a site requests your mother’s maiden name then bend the rules by using a code for the name. It is too easy to find birth records on the web. This can be done with any challenge question.
All passwords are important. I hope these tools will help you better secure your information in a manner that does not drive you crazy or makes you slide backward to less secure manners of tracking this information.
Security is a game of cat and mouse. An individual bend on getting to your information will stop at nothing to do so. For the average Joe, this is not the case. The theft is merely a crime of opportunity and convenience. A strong password reduces the convenience. If you have a tip that does not show up on the list email me for inclusion on the next publication.
New for 2020 and Beyond
Many internet sites and applications allow for user password resets, called password self-servicing in the industry. This is the "forgot your password" link. This feature is helpful for infrequently visited sites. Two tools have gain usage and they are multifactor authentification and cloud-based password consolidation. Multifactor authentification is where more that one method is used to prove one's identity should be leveraged wherever possible. Aside from your password, the user may receive a text with a pin or a phone call. Cloud-based password consolidation tools can keep and generate passwords for the user, thereby reducing the number of passwords the user must remember.
The NIST is promoting longer password lengths, the inclusion of more symbols like the space key. It is clear that passwords will continue to evolve, but the need to secure data will continue.
NIST Special Publication 800-63B - Digital Identity Guidelines: Authentication and Lifecycle Management, (June 2017), https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf