Last week we posted a blog about Single Sign-On (SSO) as the antidote to password fatigue and how using Multi-Factor Authentication (MFA) boosts online security. As a follow-up, here are a few pointers on how to create strong passwords for applications that you do not access via SSO.
While passwords are not in and of themselves very secure, they are still a dominant form of authentication which makes it very important to use strong passwords and to not repeat passwords. Google conducted an online security survey of U.S. consumers, in partnership with The Harris Poll, and found that nearly 66 percent of respondents admitted to using the same password across some or all of their accounts. Respondents also admitted to using common and insecure passwords such as Iloveyou, 123456 and even the word password!
Instead of the term password, the National Institute of Standards and Technology (NIST) uses the term “memorized secret.” This is a change from the original password guidelines recommended by NIST nearly 15 years ago which encouraged using a combination of so many letters, numbers and special characters, and maybe even an uppercase letter.
Here’s an interesting read about how the man who first made those recommendations now admits they are essentially useless. Instead, the NIST Digital Identity Guidelines now focus on length as a key to strength. NIST recommends a minimum of 8 characters when set by a human with a maximum character limit of 64. At Enterprise Health, our employee password length minimum is 12 characters.
Create a long password that you can remember by composing a multiple word passphrase that gives you a mental image. For example, if you are a Sherlock Holmes buff, you know that 221B Baker Street is the London address of the fictional detective. By using the first three letters of each word in “Sherlock Holmes 221B Baker Street,” you could create the passphrase SheHol221BakStr. This passphrase would be easy to remember and complies with the NIST Digital Identity Guidelines, but is hard for bad actors to crack.
Strong passwords are essential to protect users, systems and resources. It’s well worth the time to take a look at the passwords you use to log in at work as well as to your financial institutions, credit card companies, physician’s office, bill pay services and online tax preparation services and strengthen them using the strategies described above. Plus, don’t forget to enable Multi-Factor Authentication when possible for an even higher level of security.