Why Do Passwords Have to Be So Complicated?

 

Confused about best practices for passwords? You aren’t alone! As the marketing coordinator of an IT Managed Services Provider, I thought it would be an interesting exercise to step in as a guest writer of our bi-weekly blog.  My thought was that I would learn “best password practices”, and then I’d be able to pass those along to our readers.  It wasn’t as simple as I thought it would be.

A Little History

Love it or hate it (or use it because you must), technology is here to stay.  The paradox is that the easier the management of our lives and businesses have become with technology, the more complicated they have become due to the risk of being hacked.  Our first line of defense in keeping our information secure is a strong password.  Easy enough, right? It just needs to be long enough and unique enough that super-smart hackers with their super-fast computers won’t be able to crack it.  Oh, and you need to remember it – that’s important.  Raise your hand if you’ve ever tried to sign on to your email, or social media, or access your bank account, and…you couldn’t remember your password.  You tried different versions of what you thought it was until you got locked out.  And keep those hands up if you thought to yourself, “This is ridiculous!”, and once you regained access, you just changed the password to “password”.  Or something equally easy to remember.  We’ve all been there.  We know the problem, but what’s the solution?

Well, even the experts are in some disagreement about this. Back in 2003, Bill Burr of the National Institute of Standards and Technology, wrote “NIST Special Publication 800-63. Appendix A.” His 8-page brief said that the way to keep our accounts safe was to invent words with both upper and lowercase letters, special characters and numbers. And to change those passwords frequently.  It seemed like sound advice, but we’re creatures of habit, and it turns out that when we changed our passwords, we tended to make minor variations on the old one – C@licoC@t23 became C@licoC@t24. Far from keeping our accounts more secure, we were making them more susceptible to hacking. In June, 2017, Special Publication 800-63 was completely rewritten, and there were a few surprises.

What’s Changed?

  • Unless your account has been compromised, it is not necessary to change your password (but do not use the same password for multiple accounts).
  • And those special characters, numbers and letters? It turns out that the best passwords are ones we can remember. The new advice is to create a phrase that makes no sense, but that will be meaningful to the user without identifying them.

This means that “Ilovemydogspot” would not be a great choice, but “Greencowsjumprope” would be pretty difficult to hack.  Uh huh. Now multiply those non-sensical phrases times the myriad sites which require passwords, and then try to remember them all (because you should never, ever reuse the same password).  Best of luck to you.

So, What’s the Simple Answer?

After sorting through many articles filled with sometimes contradictory advice, I found no perfect answers, but there are some simple steps you can take to generate and use passwords that will help keep your information secure. The Department of Homeland Security website has recommendations from the U.S. Computer Emergency Readiness Team which are remarkably easy to incorporate:

  • Use multi-factor authentication when available. (In plain language, this gives more than one layer of protection. Accessing an account requires a password plus another form of authentication, such as a code sent by text message to your mobile phone, or a fingerprint recognition.)
  • Use different passwords on different systems and accounts.
  • Don’t use passwords that are based on personal information that can be easily accessed or guessed.
  • Use the longest password or passphrase permissible by each password system.
  • Don’t use words that can be found in any dictionary of any language.

And Finally…

Once you have created all these unique passwords, try using a password manager so you can give your poor brain a break.  You will only need to remember one password (but make it a good one!) and the manager will do the rest for you. An internet search will reveal more choices than you can imagine, but for no-cost options, LastPass was PC Magazine Editor’s Choice for 2018.  (For the entire list, visit www.pcmag.com)

 

If you have questions about passwords and security, we have experts at Cleartech Group who can help!  Give us a call at (978)466-1938 or visit us online at www.cleartechgroup.com