I once heard a speaker say that passwords are like underwear: change them often, keep them long, don’t leave them lying on your desk, and don’t share them.
As a security professional, I have been discussing the need for stronger passwords for almost 20 years, and not much has changed during that time. Each time I make a presentation, I note that there is no silver bullet. The best solution is complex passwords that users change frequently and don’t share.
Yet weak passwords remain a top cybersecurity risk, as highlighted by recent large hacks and breaches, including the Equifax breach. The media has reported that Equifax was using “admin” for both the username and password of an employee portal in Argentina. And after the 2014 Sony hack, it was discovered that the company kept thousands of passwords to the company’s internal computers, servers, and email and online accounts in a digital folder labeled “Password.”
So why does this keep happening, and what can your institution do to reduce the risk?
Here are three steps to stronger passwords.
1. Understand the Challenges
The National Institute of Standards and Technology (NIST) made headlines earlier this year when it issued password guidelines that steer away from requiring complexity and frequent password changes.
NIST noted that while the previous guidelines were intended to create more secure passwords through criteria such as complexity, this has been circumvented over time by several issues:
- The number of systems individuals access via a username and password has grown tremendously. Not too many years ago, we didn’t have passwords for travel sites, online bank accounts, health records, and more — not to mention the growing number of work-related passwords. There are just too many to commit to memory.
- Users have difficulty remembering complex passwords, especially when they change frequently. As a result, many people use ineffective variations of common passwords (e.g., Password1!). The most common breached passwords are published annually and it is surprising how many versions of “123456” and “password” continue to make the list.
- Because complex passwords are hard to remember, users also store them in unsafe ways, such as in a document on their computer, on a sticky note on their desk or, even worse, in the Notes app on their unsecured cellphone.
- Password-cracking software has become more sophisticated, and keylogger software and social engineering have emerged as effective means of compromising lengthy, complex passwords. Millions of compromised passwords are in circulation due to cyber breaches.
These factors make complex, expiring passwords far less effective, thus the new guidelines.
2. Understand the New Guidelines
Rather than complex passwords that expire frequently, the new NIST guidelines focus on layered security, which we have long advised.
- Comparing passwords against a “blacklist” that rejects passwords:
- which are used in previous compromises,
- based off dictionary words,
- containing repetitive or sequential characters, and
- based off items such as user name, system name, etc.
- No forced composition rules (like alphanumeric and special characters) or required arbitrary changes.
- Limiting the number of password attempts before a user is locked out.
- Multi-factor authentication (MFA), which involves an addition to the username and password, typically when a system is accessed from a different device or location. You are likely familiar with receiving a text code that must be used to access an account from a different computer.
With these criteria, simple passwords still cannot be used, and the recommended minimum number of characters is still eight for user-chosen passwords or six for randomly generated passwords or PINs. While the recommendation is not to impose composition rules, alphanumeric or special characters may still be used in an effort to create a memorable password that is not a dictionary word. Limiting the use of dictionary words definitely slows down password-cracking systems.
3. Take a layered approach
It’s important to note that the new guidelines are extensive, and this is just a summary of one aspect of them. While it may seem that the new guidelines make passwords easier for end users, there is much more to the authentication process than passwords.
And regardless of new recommendations, don’t expect to see things change quickly. Most institutions use systems configured and managed by third parties, and it will take time to see industry-wide changes in response to these revised standards. Even if your institution wants to forego complex passwords for your users, it may not be an option until your systems catch up.
In the meantime, there are several steps you can take to protect your institution from weak passwords.
- Layered security controls – With layered controls, if one fails, others are in place to help protect your institution. Many industry experts consider these “must have” additions to passwords for high-risk systems.
- Multi-factor authentication – Among security professionals, MFA has become a must-have layered control. The use of MFA for cloud-based systems is particularly critical because these systems can be accessed from any device through a browser. Thus, a compromised password, whether discovered through a dictionary attack, keylogger or other spyware, or observed on a sticky note, can be used from just about anywhere.
- Ongoing training and communication – Make sure all network users, including faculty, staff, and students, understand the following:
- They need to use strong passwords.
- They should not share passwords.
- They should not save passwords in an easily accessible location.
- They should not use the same password for multiple accounts.
Even as cyberattacks have become increasingly sophisticated, the humble password remains a vital defense. The steps above will help you improve password security at your institution.
Traina & Associates, a CapinCrouse company,* offers expert cybersecurity services to help higher education institutions and other nonprofit organizations assess their information security controls and identify and address any risks and vulnerabilities. More information is available at capincrouse.com/cybersecurity.
*Traina & Associates is an authorized trade name of Capin Technology LLC, a subsidiary of Capin Crouse LLP.