While “Open Sesame!” might be one of the oldest passwords, the recent National Cyber Security Center list of regularly used passwords makes for interesting reading. I wrote about passwords a few years ago and many of the same rules still apply today. Some of the worst passwords have stayed the same (“password” and “123456” still top the list) and other easy names such as sports teams, celebrity names and fictional characters are popular. On World Password Day, May 2, 2019, take a moment and consider your level of password security.
What makes a good password?
It should be unique and sufficiently complex. Experts still recommend creating complex phrases and using a different, unique password for each of your accounts. I know, it seems like the easy thing to just have one phrase to remember, but you risk having all your accounts accessible if one is hacked.
The longer the better!
Remember Nick Helm’s Disney joke that we shared in a previous blog on this subject? “I needed a password eight characters long so I picked Snow White and the Seven Dwarves.” Funny. But also weirdly effective, as it has an incredible number of possible combinations. As we’ve mentioned before, the NIST Guide to Password Management states that the best way to increase password complexity is to increase the number of possible combinations.
The best way to increase password complexity without having to write it down is by increasing password length. It gets a little heady when you begin reading about it, but it really comes down to being sufficiently complex, not crazily complex. So when you see the requirement to have an uppercase letter, lowercase letter, number and symbol in your password, just remember that if you have to write it down to remember it then you have just made it less secure.
How often should I change my password?
Focus on stronger passwords then you can worry less about changing them. Studies show people who change their password frequently choose less secure ones. So pick a strong one and stick to it, unless you are forced to change it or think it may have been compromised. Increasingly systems are dropping the forced change requirement for this reason and because research shows people simply iterate on the original one.
Remember to follow these general guidelines:
* Use a secure password manager. I use KeePass which is installed locally but you can also use online password tools like 1Password, so they can be accessed across all devices.
* Use your toughest, most secure passwords for your password manager, credit cards, banking, healthcare records and email (remember your personal email is often used for password resets so must be just as secure).
* Use the next level for social media and communication tools.
* Save the least secure for generic stuff like your news sites where you don’t store sensitive data.
Not sure where to start? The NIST Guide can help. We can also provide you with a free copy of Ostendio’s password policy, as an example. Just contact us at firstname.lastname@example.org.