WATCH Password Security – Staying Safe Online – Day 2 of Cybersecurity Awareness Month 2021
Password Security – Cybersecurity Videos Day 2
Mike Miller 00:06
So Craig let’s talk passwords. I hear a lot of different information. You know, like some people are like it’s okay to use words. Other people are like, no, it has to be 40 characters long with a whole bunch of different crazy characters. You know, and but people need a way to use passwords on a daily basis to get into all of the different software and things that they have to access. So, you know, what’s your suggestion? What makes a password good, what makes a password bad?
Craig Taylor 00:39
Well, let’s start by saying, I get frustrated by passwords just like everyone else. And I’m a cyber security professional, so I feel your pain. Fortunately, I’ve trained myself to use tools and technology, which will help me deal with my passwords. And that’s typically a password manager. And the subject of a future I think we’re going to do a future cyber security overview of password managers, but you ask what makes a good password versus a bad password.
There’s a lot of bad advice on the internet. And there’s a lot of websites that are misinformed from very prominent web players out there. It all stems back to 2003, when NIST, the National Institute of Standards and Technology, said a good password then they thought, which is wrong, was a nine character complex, upper lowercase special character numbers password that changed every 90 days. That was a mathematician talking, not a social psychologist.
Mathematicians got it wrong. And subsequently NIST in 2017 rescinded that and said, here’s what we really learned is that that advice makes everybody cheat, they have their favorite root password, and then they log on a prefix or a suffix to the password, you know, and if a hacker can see your basic password in the clear text, meaning they can read it, then they’ll know whatever your mechanism of cheating is, and they’ll be able to exploit it wherever you might have an account. So if they get it on one website, let’s say they break into some online website, I won’t give a name but a travel website. Then they go over to your email account, and they try to log in with your email that you used at the travel website and the password you use there into your email and boom, for a lot of the majority of people out online today, that hacker is going to get into your email account.
Now they might try your bank, but banks have long since sent text messages with the second factor something called 2 FA or a multifactor. That also is very important for cryptic for critical accounts. That will to be a topic of another cybersecurity overview. So what makes a good password today, according to NIST, and CyberHoot and UK, experts in the industry is simply simply length.
The longer your password, the better. And when I say length, I believe in what we expose here at CyberHoot is 14 characters, or longer. NIST has said in their advice, it needs to be long, at least 12 or longer, 1314 is fine. But it also shouldn’t have a maximum length, they’ve said remove the maximum length, they’ve said don’t have challenge questions to get, you know, to hints on what your password is, because people can socially engineer that too. So in the grand scheme of things, in my opinion, words are okay, you can think of a phrase from a book or a poem or a TV show or something you write up or nonsensical, something that is memorable for you. And then you use that long password to open up your password manager. And we’ll get into that on a subsequent date.
But right now, what makes a good and strong password is it has to be unique everywhere you go. It needs to be 14 or longer characters in length, it never has to expire necessarily unless you’ve had a compromise of your computer, which case you would reset the access password there or any websites that you were logged into on that compromised computer. Yes, you will change your passwords down the road. But generally speaking, you don’t have to change these extra long passwords. They are very secure.
Mike Miller 04:21
Okay, okay. Is there a time where passwords of any length just aren’t secure?
Craig Taylor 04:27
Well, yes, when you have a critical account, and I would think of email, banking, VPN, those are kind of like safety deposit boxes, but online, and you wouldn’t want your safety deposit box to be at your 7 11 you’d want it to be in your bank vault, protected by all the physical security of that. Well, the equivalent online is using a second factor a text message or an authenticator app on your mobile device that is helpful for securing your critical accounts.
So that is I think we should probably go into that on another day. So the call to action here is if you’re a small business owner, or an MSP, you need to adopt a password manager. You need to migrate all yourselves and your clients to 14 character passphrases for ad or your clear identity management system. And then you need to educate and train your employees about password hygiene. And why using the same password everywhere you go is such a bad idea because hackers see those.
They’re available on the dark web today, billions and billions of accounts are available on the dark web for hackers to go retrieve and try in your business to get into your data. So you need to have stronger passwords in your business stored in password managers with two factor protecting your critical accounts. That’s my call to action.