The news about online security seems universally bad these days. New scary threats, like the WannaCry ransomware attacks, are larger and more vicious than ever, hitting targets around the world for payoffs in Bitcoin. There may be much more such attacks on the horizon, as that attack seemed to use a zero-day exploit that the NSA apparently hoarded until it was discovered by the Shadow Brokers gang. We have no way of knowing how many more such flaws waiting to be exploited are still out there.
Hopefully, this assault and the rising potential for worse ones will prompt the official government computer security agencies to actually provide the ordinary user with a little more safety by sharing such exploits with affected vendors and developers on a timelier basis. However, totally overlooked in all this are some new security guidelines for passwords that may provide some slight but welcome relief to users.
For years, advice on password management has been frankly unrealistic and getting more so all the time. Memorizing long strings of nonsense characters that have to be changed at intervals has driven many to the brink of insanity, or to master obscure Renaissance memory techniques. It’s a daunting problem to deal with every day. No wonder that so many people depend on written sticky notes stuck in plain view on monitors or use the same simple phrase for all their accounts.
NIST, the National Institute of Standards and Technology, run by the Commerce Department, are the people in charge of maintaining cybersecurity standards that the most critical websites depend upon. Among many other things, they issue guidelines for the best practices of password management, and they have finally realized that users should not be made enemies. For by making things too difficult for the average user, such folks will inevitably find sneaky ways around them to make life a little easier. So they have significantly shifted their strategy.
So here are some recommended changes for managing “memorized secrets” as they describe these new passwords, which may not be single words anymore.
- No more password expirations simply due to the passage of time. That’s right: users won’t need to reinvent them all from scratch every 6 months or so. If they ain’t broke, don’t fix ‘em, – but of course, if any do get broken, replace them all with new ones immediately.
- No more secret security questions. Apparently hackers can easily guess what anyone’s favorite color is, their mother’s maiden name, or where that person went to school.
- No more special composition rules. The business of jumbling together lower-case and capital letters, numbers and special characters won’t help much in massive brute-force attacks. It’s password length that matters most, not complexity. However, sprinkling in a few odd characters may help to keep memorable phrases from being recognized and easily broken.
Currently SWCP only permits passwords 12 characters long to be used, but the new guidelines suggest that at least up to 64 characters eventually be allowed. This would allow the use of much longer pass phrases.
SWCP passwords can only be made of numbers and capital or lower case letters. Permitting the incorporation of blank spaces and special characters would enable passwords made of Unicode emojis, like 🙂 eventually. Spaces, however, could be difficult for some systems to handle, as they were in file names, so that change mighttake awhile – and emojis’ graphical translation aspects might complicate things too.
These changes are mandated for the most secure websites with HIPAA certification, for everything else they’re just recommended best practices. It may be awhile before they get widely adopted and commonly implemented out across the field. Such changes take time, so don’t try using blank spaces just yet. But this shouldn’t be a problem as the standards now call for clear guidelines for memorized secrets, including helpful information to the user on why theirs was rejected, such as being too commonly used.
Some rules, however, will remain the same:
- The password must be at least 8 characters long. Generally speaking, the longer the better. The idea is make decrypting simply take too long to be worth it for most hackers.
- Do not use single words found in any dictionary. Unchanged brief phrases are not a good idea either. Long, silly or unique phrases that aren’t used in popular films or literature are a good method if personally memorable or if accompanied by a striking visual image which makes it easy to recall, such as “recycled tangerine elephant-armor” or “flying flower bunnies”. However, there are many other ways to construct memorable but not too easily guessable pass phrases.
- Do not reuse the same password on more than one site/account. Ever.
- Never email passwords, unless the entire message is encrypted. And even then.
And of course, other security practices should be constantly observed:
- Do not open attachments from unknown parties or links in emails. Many scammers go to great lengths to fake emails – and indeed, entire websites – that look legit. If you are alerted to a supposed problem by email, first check out the address. If it’s to anyplace other than to the official site itself, delete the message. If you’re still concerned either look the site up online and visit it, or forward the message to SWCP Tech Support so we can check it out for you.
- Never reply to spam. Sometimes all they want is a real person’s email address. And any reply is helping them by confirming that it got there.
- Always keep your operating system updated. Nowadays, Apple and Microsoft seem to be doing a better job than most antivirus companies.
- Do note any weird behavior by your computer. Slow speeds, strange windows, search engines or homepages you don’t use suddenly becoming your default can all be signs that someone has broken in.
And finally, there is something you can do on an annual basis that will help. Customers of SWCP are entitled to one free Computer Clean-out per year to remove malware and useless files, and there are other things you can do. Call or email Tech Support for more information.