It’s only 9 a.m., and Jim forgot his password again. Before the day’s up, you can count on at least two more account freezes from failed attempts.
It’s time to finally put the kibosh on the stale “best practices” pervasive in password management and password complexity today. For years, you—and all the employees you trained—have been creating passwords complicated enough to fend off intruders—or so you thought. The wool’s been pulled over everyone’s eyes all along: Those password guidelines from two decades ago were totally wrong.
You’ve been misled—and xkcd knew it
Here’s the conundrum: In 2003, the National Institute of Standards and Technology (NIST) issued recommendations on creating hard-to-crack passwords. It advised using a combination of capital and lower-case letters, numbers, and special characters. In 2017, NIST revised the guidelines. You can wade through the report for a lot of good info, or simply look at Randall Munroe’s cartoon, published in August 2011, where he lampooned the original NIST findings.
In the cartoon, reprinted in The Verge, Munroe mathematically calculated the amount of time required to crack two different passwords:
- Password 1: Tr0ub4dor&3
Time to crack: Three days, at 1,000 guesses per second, using standard techniques. Reason: People tend to use similar strings of characters, numbers, and special characters that hackers can predict and create algorithms to target.
- Password 2: correcthorsebatterystaple
Time to crack: Approximately 550 years, at 1,000 guesses per second. Reason: Although the phrase is easy to memorize, it’s obscure, inexplicable, and random phrases are nearly impossible for an automated system to decipher.
Munroe declared, “Through 20 years of effort, we have correctly trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess.” Math experts give a thumbs-up to Munroe’s observations, but many websites still require passwords based on the old formula.
Forget regular password changes
Even more frustrating than trying to remember a string of gibberish, users are often told to change passwords every 90 days. This practice was designed to lock out unauthorized users. Now comes a report by the Federal Trade Commission (FTC) refuting the rule. You need to laugh to keep from crying, right?
Users frequently selected weaker passwords to begin with and then changed them in predictable ways that attackers found easy to crack. You guessed it: Regular password changes may do more harm than good.
Where’s the password refresh sweet spot? The FTC suggests:
- If your password has been stolen, change it on all your accounts where you use the same or similar password.
- If you’ve shared your password with a friend, change it.
- If you saw someone looking over your shoulder as you typed your password, change it.
- If you think you might have given your password to a phishing website, change it.
- If your current password is weak, change it.
Level the digital combat zone with better password management
Password management companies can secure your online identity and save you the hassle of creating dozens of passwords. Password managers will generate, retrieve, and keep track of random passwords across all your accounts. They protect all your vital online info—not only passwords, but PINs, credit card numbers, answers to security questions, and more—with encryption so strong that it’d take a hacker 550 years to crack. Happily, you need to only remember one master password, so make it a doozy.
Dozens of companies now compete in the password management market. According to Capterra, the most highly rated are LastPass, TeamPassword, PortalGuard, and Keeper. You’ll pay a small monthly or yearly fee for most, but a few (like LastPass) offer some services for free.
Your toughest choice may be where to store your passwords. On your local hard drive or in the cloud? On the one hand, cloud servers allow the provider to easily sync your data across devices. On the other hand, you may feel vulnerable when you can’t see or access the crown jewels. Not to worry—providers offer both types of storage. Advanced technologies can equip even your hardware devices, like printers and copiers, with built-in security features that ensure only authenticated users and devices can access your print network, as well as keep your data encrypted.
When it comes to password management and password complexity, you’re in charge. In today’s digital combat zone, use the most effective weapons at your disposal. Either put your trust in a password management company, or handle your own password security by improving your habits and restrictions—and let that practice trickle down to your business’s employees. A simple tactic, like creating passwords of random phrases—rather than caps, numbers, and special characters—can hold the fort against cyber attacks for the next few centuries.