Matt Topper, a Professional Services Manager at Integris, explains the changing roles of passwords and how to construct them, and password hints and tips for safely creating and changing passwords.
Password Hints: The Longer the Better
Hi, I’m Matt Topper from Integris. I’m the Professional Services Manager here. And today we want to talk about passwords and specifically some of the changing rules on how to construct them and what you might want to think about when it next comes time to set or change your password. And we’ll talk about the subtitle of the auditor requirement later on. Over the last few years, some of the recommendations, rules, and guidelines around how to construct passwords and what you need to consider when deciding how long they need to be and what complexity rules they need to have, a lot of that has changed. And it’s all changed for the better and become simpler.
Traditionally, you might’ve seen password hints and rules such as your password needs to be seven to eight characters long or 12. It needs all these complexity rules that make it contain letters, numbers, symbols. And once every few months you get prompted to change it. And what happened from this, it caused everyone to pick a password and struggling to make it meet the complexity requirements, trying to add whatever symbols or numbers they needed to, to the end. And then it caused everyone to write it down on a post-it note or in some kind of personal notebook with all your passwords. And then once you finally managed to commit it to memory, it was time to change it again.
And so NIST took this into account when setting new guidelines for passwords. And one of the goals of the new guidelines is to prevent having to write passwords down anywhere to make them memorable. So you didn’t have to try and remember a bunch of chicken scratch and gobbledy. So the new guidelines start with one thing, using multi-factor authentication when possible. And that’s actually one of the biggest points is if you have the ability in whatever service you’re using to use a secondary authenticator, even a text message, while that’s not the best multi-factor authentication, you should use that.
But the new guidelines specify no complexity requirements. So there’s no more of this trying to guess if you’re meeting complexity requirements, trying to come up with putting dollar signs where S’s are or threes where Es are, all of that is gone. No password expiration, so having to rotate your passwords every 30 or 60 days is no longer a recommended best practice with the exception of if you suspect or your provider suspects, that there are some kind of breach, then there should be expiration on passwords.
And check against commonly used words. So even though there’s no complexity or requirements, you still shouldn’t have words like password being your only password, obviously an extreme example. And one of the benefits to removing these requirements is that your construction, it allows you to have much, much longer passwords without making them difficult to remember. And this slide shows a reflection of the idea that password length is actually much more important than the characters that are used. So for example, if your password is only eight to 11 characters, that’s when the symbols become important because the search space is bigger, right? If you randomly tried to guess passwords, you’d have to guess across the letters, numbers, and symbols.
But as the length increases, it turns out that the difficulty or time to guess passwords goes up much faster by adding additional digits and characters, rather than adding additional complexity. And so once you get to the 20 password length, you can have anything you want in passwords. Take into account that the space character is valid in all passwords. And what that does is it leads to the idea of passphrases. So this graphic is part of Stanford’s Password Policy. And it’s used to describe ways that you can have passwords that are easy to remember and hard to guess.
So with just lowercase letters and orange, eagle, key, shoe, four words, you have 21 characters, and this is something that you can remember without having to write down. You can do symbols, a key. You can do an animal, fruit, article of clothing in this case. They’re all things that are completely random words. And that allows you to have very, very long passwords that are hard to guess and easy to remember.
One of our password hints is to have different passphrases and different passwords for every website. How do you keep track of all that? Even with passphrases, they’re still difficult to remember if you have a 100 of them.
That’s where password managers come in. And password managers allow you to have one password that you need to remember, then gives you access to all of the different passwords you saved. The obvious benefit of that is if there is some type of breach on a service that you use, only the one password needs to be changed. So if you’re Gmail password gets compromised and you only need to go in and change your Gmail password, et cetera. And this removes the need to have some type of book or document or spreadsheet where you have all of your passwords and trying to keep track of it and keeping it up to date and having it when you need it.
And in many cases, right within the password manager, you can click a link to log into the service directly without even having to type in anything. And that idea starts to get into identity management. And identity management is the idea of having an identity that’s owned by you. So rather than having individual passwords and credentials for each site, your account actually exists in one site. So for example, have you ever been to a website and it’s not seeing the ability to login with Facebook or login with Google? That’s identity management and your password, when it changes at Google or at Facebook, you don’t have to remember to go in and change it at all these different websites. You’re actually logging in as you, rather than your account just granting you access to Google. Now it also grants you access to other web services that use Google for authentication.
And in the business world, this is starting to come up with services like Azure or Google’s enterprise surface does it as well. Your Microsoft 365 account that you use to check your email or sign into your computer can also grant you access to your project management software or any other web application that your company might use. And the great part about that is when someone leaves the company, you don’t have to remember to go find all of their accounts that they might have at various websites or change the company Facebook password, or things like that because their identity is what’s granting them access to that resource. Once that identity is removed, when you disable their account, then they no longer have access to that resources from a convenience and security perspective and an excellent and important paradigm.
So to conclude this segment on password hints, if you take one thing away from this presentation only it’s that the longer the password is the better. To wrap back up to the initial title though, unless your auditor’s telling you otherwise, keep in mind that if despite what NIST’s regulations and recommendations might say, if your company has regulatory obligations, those take precedence over any common guidelines from NIST. So for example, PCI, depending on what level you need to be to have prescribed specific criteria for a password length, password rotation, things like that other frameworks do to. In those cases, you need to defer to what your regulators say and what your auditors say. If you need help understanding where there are contradictions or what you can and can’t do based on your regulatory obligations, that’s something we can help with.
Want more password hints? Check out these Nine Tips for a Stronger Password.