New, More Realistic Password Rules

by | May 4, 2019 | News, Online Tools, Our Blog, Resources, Security, Tips and Tricks, Warnings

Passwords are a drag. They are seen by many users not as the first barrier to keep out bad guys, but as an obstacle to the user’s convenience. The rules have been complicated, obscure, and frankly, many seem ridiculous and more trouble than help. NIST, the National Institute of Standards and Technology, are the ultimate source of recommendations for password use. They’ve come out with a proposed set of changes, that frankly look more designed to confuse than clarify. But we here at SWCP have analyzed them, and while these are not the final word (there probably never will be such), they offer a decided improvement in how you can manage and remember good, safe passwords.

The new wisdom is a realization that if it is a pain for the end user, it won’t be done. So the idea is to make password management as simple and painless as possible, but still secure. It’s a tough balance but there are tricks that can make it much easier.

The New Recommendations:

  • Length — for SWCP, passwords should be at least 8 characters, 16 maximum.
  • Kinds of characters — Occasionally mixing capitals with lower-case letters, substituting numbers or punctuation symbols is still recommended, but it’s not emphasized, and don’t overdue it if it means your password can’t be remembered. No blank spaces will be allowed — if you must, use dashes or underlines instead. Emojis, no way.
  • If your password is rejected as not strong enough, or as “bad” adding a “!” or a “1” at the end is probably not a good idea.
  • While it is a good practice to change passwords every now and then, NIST recommends against administrators forcing users to change passwords arbitrarily every 6 months or whenever. Passwords should, however, be replaced with new ones ASAP whenever they are lost or any compromise is suspected.
  • Do not use passwords that could be found in any common dictionary. Nowadays, many password-generating programs check automatically to forbid anything too easily found. And there are online services, like “Have I been pawned?” which will match passwords against millions of those found in hacking dumps, so users can judge for themselves how secure it might be.
  • The good news is that password hints and security questions (like “what’s your mother’s maiden name?”) should not be used anymore. If a site still does, however, you do not need to reveal any actual personal information — these days, most of the the things asked about can be discovered online, like maiden names, schools, and so on. You might even have mentioned your first pet in a social media post somewhere. Instead, rely on something that you can remember easily but makes no sense. Like, when asked your mother’s name, respond with “Volkswagen Van” or something equally nonsensical. Don’t worry — the computer is not going to call your mother or check somewhere. To the site, it’s just another password. As long as you’re consistent, always using the same response on the same site, you shouldn’t have any trouble. Even if your mom really is a VW.

Rather than use a password, consider constructing a passphrase, designed to be easily remembered but not something easy to stumble upon. Just find some phrase you’re fond, string it together without spaces, and toss a few numbers or capital letters in. The danger of this could be in using too obvious famous quotes, lines from movies, or phrases from literature, which may be listed in some dictionary somewhere.

But one of the easiest, most secure, and indeed, enjoyable way to make passphrases is by using a clever technique invented back in the Renaissance, called “the palace of memory.”

Building a Memory Palace

Before he was burned at the stake in 1600 for his outrageous belief in an infinite number of inhabited worlds, renegade priest Giordano Bruno became internationally famous for his development and popularization of memory techniques to allow a normal person to recall immense amounts of unrelated abstract information, like long lists of numbers or words, both easily and accurately.

These same methods can devise memorable, nearly-unbreakable passphrases. Basically, you first come up with a striking image – the more unique and unusual the better, as they are the most easy to recall. Then describe the picture in a short phrase that you can associate with whatever you wish.

So, for example, if I look around my office, I might see a hat, a postal scale, and a photo of an astronaut. If I visualize the spaceman on the moon wearing a cowboy hat and weighing a letter on the scale, I have an odd, but visually striking and therefore very hard to forget image that is naturally easy to associate with email. So a good image to key off of might be “cowboymoonmanletterscales” – a string that’s both long and very unlikely to be found in any text sample.

However, it’s much too long for SWCP. Cut it back to 16 characters, throw in a 0 for o and a 1 for l, capitalize a couple odd letters, and viola! “cb0mUnman1trscAl” Unique, hopefully unforgettable, and as secure as such things can be.

Even longer strings of information can be recalled by actually visualizing a space and filling it with odd visual associations to things to be recalled. One way was to assign the letters of the alphabet to something visually striking and use those as a guide. Such efforts shouldn’t needed really for passwords, but worth checking out if you find yourself needing to remember a bunch of people’s names, for instance.

Phishing Reminder: DON’T PANIC, DON’T RESPOND

While we’re on security, we’d like to remind you that there are a lot of evil scammers sending out emails designed to make the recipient respond. These are called “phishing” because they’re looking to hook you in if you reply in any way before you think about it.

Some appeal to greed (you just got a refund from Microsoft, for instance), but most work on natural fears — such as claims that illicit porn was found on your computer; or you owe the IRS lots of money, or you must pay for tech support or your computer will be compromised.

Some even claim that ransomware has been placed on your files and unless you fork over some bitcoin quick, it’ll be locked up. First thing to remember is that the IRS, Law Enforcement, Microsoft, etc. will NEVER notify you via email that you owe/are due money. NEVER will they demand online or over the phone that you pay up now to avoid arrest, whether it be in bitcoin, gift cards or whatever. If ransomware is ever injected into your machine, the bad guys will likely lock it up tight before issuing demands.

Another way to tell is look for telltale signs. Check the senders’ address, the reply address, and the domain. You can see the actual code in your email client under View > Message source, or some similar command. It should show if things are being hoaxed, even without security information. If the domain for the reply is in any way different from the address shown, like it’s not “@irs.gov” but say “@irs.com” or there are any forwarding http:// commands in the domain address, it’s bogus. If you want to be sure, look up the proper domain on Google, and go from there directly to the site to reply from there. DO NOT click on any link.

Also any misspelled words, or additional text that’s often whited out but visible upon selection are dead giveaways that this is spam or worse.

One phishing variant that naturally terrifies people is when the threat appears to be sent from the users’ OWN email account. It’s enough to make you feel like you’re in a horror movie: “Run! the killer is already in the house!” Relax — it doesn’t mean they have hacked your system: email addresses are some of the easiest things in the world to fake.

IF and WHEN you get what may a phishing email, here’s how to handle it:

  1. Don’t panic — stop and think before doing anything. Does the message demand money, on an instant response? It’s bogus, then.
  2. Don’t open any attachments — pdf files, links, anything could be a trap.
  3. Don’t reply — it is vital that you do NOT interact in any way, lest you inadvertently open the door to attack.
  4. Do ask help@swcp.com — if you’re concerned that this might be a threat but you’re not sure, or if it’s a message of a type that you’ve never seen before.
  5. Delete the thing immediately.

Plus, be sure to use SWCP’s spam filters, blacklisting and other security features. Keep your own antivirus up to date, scan all attachments, and don’t forget that all SWCP customers get one FREE computer virus scan each year. Just email help@swcp.com, call us at 232-7992 to set up a time, or drop on by during office hours.

Remember, we’re all in this together. By making yourself safer, you make all other SWCP users safer, too, and we thank you.