Everyone has heard a lot about password security, but as of June the suggested practices have changed. With the constantly evolving world of cyber threats in mind, researchers at the National Institute of Standards and Technology (NIST) have gathered a significant body of evidence about what types of passwords work and which ones don’t. A lot of the old rules we learned decades ago have been found to be very inefficient and don’t really protect us as much as we thought. The new recommendations are summarized below:
- All passwords should be at least 8 characters long, but significantly longer when possible. Passwords under 8 characters are simply too easy to crack with modern computers. Research has determined that the length of the password is the most important factor in making it secure.
- Using special characters (!@#$) is no longer suggested when making passwords. These are just going to make your password hard to remember. It’s much safer to just make your password easy to remember, but very long – such as a series of random words. Note that using one word, no matter how long is never secure, you should use multiple.
- Don’t use repetitive or sequential characters in a password. That means 1234abcd, qwertyui, and aaaaaaaa are all very insecure passwords. Hackers figured out all of the patterns years ago, and can crack your password easily if you use them.
- Don’t use your username, or the name of the website as part of your password. Even though this adds length and complexity, it is very easy to guess.
- Don’t use “hints” or other tools to make it easier to get your password. If you use these, a hacker just needs to figure out your mother’s maiden name or other simple facts about you in order to access your accounts. If you use password hints, they don’t need to guess your password at all.
- Don’t change your password too frequently. While it is still good practice to change your password if you click on a suspicious link, if you got infected with malware, or your password was hacked in the past; arbitrarily changing your password every X number of days is just going to increase the likelihood you select insecure passwords or passwords that are very similar, and thus are no more secure.
- You should use a password manager. Writing down your password is still not considered a good practice because people can easily find your sticky notes with passwords on them. Password managers like LastPass will hold all of your passwords in a secure database, which means they can’t be seen by others or copied. Then you can make long, complex passwords and you won’t have to memorize them. The only password you need to know is the super-strong password for LastPass. We’ve used LastPass here at TechGen for a long time, and are reaching out to clients recommending that they use it too. We will be very happy to help you set up. The time savings and added security are absolutely worth it. Please contact us if you are interested for pricing/features/etc.