There’s a ton of conflicting advice out there about passwords; how long should they be, should I set an expiry date, can I use the same password twice (you can, but you shouldn’t!). At Transcendit we’re often asked by customers how we should approach passwords and account authentication - and how to balance this with convenience. As such, here’s our position on passwords - and how to keep your account secure.
Transcendit’s view is greatly informed by NIST, the National Institute of Standards and Technology. Their Digital Identity Guidelines were published in 2017, but it’s still the most comprehensive piece we’ve found on passwords and password management. It’s a lengthy document, so we’ve summarised the key points below.
Use two factor authentication wherever possible
Two-factor authentication (2FA) or multi-factor authentication (MFA) are the terms used to describe the process of requiring two or more independent factors to gain access to an account. This is often across two different devices, such as a computer and a mobile phone. It might be that you’re used to doing this with banking, when setting up a new payee for example.
Two-factor authentication and multi-factor authentication aren’t great for convenience, but they are two of the best ways you can keep hackers, scammers and opportunistic cyber thieves from gaining access to your accounts. Even in the instance that the security of one of your devices is compromised, with 2FA or MFA it’s much harder to gain access to your accounts.
No password expiry, and no complexity requirements
One of NIST’s guidelines is to remove aspects of password management that haven’t been proven to improve security, and this includes password expiry and complex requirements for passwords. Password expiration has fallen out of favour with NIST, because if we’re requesting users to create adequate passwords, asking them to change it without an operational reason doesn’t make much sense.
Password complexity requirements are also not the security haven we once thought they were. NIST’s guidelines recommend complex passphrases, as opposed to the presumed complexity of encouraging users to include a symbol, lower case letter, upper case letter, and your grandparent’s blood type. The result tends to be predictable passwords, with letters swapped out for symbols. As such, passphrases are in, complexity requirements are out.
Encourage unique passwords, discourage dictionary words
Unsurprisingly, the position hasn’t changed on unique passwords - we should all be using them. By this we mean, if your password appears on a list of common passwords, you should not be using it to secure any of your accounts. It also means we shouldn’t be duplicating passwords; if we use the same password for multiple accounts, a single password can get a person access to even more data and information.
We discourage individuals using dictionary words because it’s incredibly easy to run a dictionary attack, where individuals try every single word in the dictionary and gain access to an account. If your password appears in the dictionary, it’s definitely due an update.
No password hints or recovery questions
As users, we love a password hint when we can’t remember the details for the account we’re trying to access. Unfortunately, so do hackers. Even if you don’t opt to just write your password in the password hints box (and we really hope you don’t), anyone trying to get into your account has access to that clue. If your hint is ‘six digits’, you’ve given away a huge piece of information.
Recovery questions are similarly inadequate. It’s all very well for businesses to ask what your favourite football team is in order to verify you, but it also takes almost no effort to type a name into any social media site and find a person’s location, and deduce their favourite team from that. If a site is requesting a recovery question, we’d always encourage you to opt for two-factor authentication where possible.
Finally, check haveIbeenpwned.com
Have I been pwned is a great little site which allows you to check whether your passwords have been exposed in any data breaches. Just pop your password in to see if it’s associated with a data breach. And if it is, it’s time to change it.
Tweet us @TranscenditUK