Sunday, November 25, 2018

Password Envy

123456
Marco Verch CC By 2.0

You guessed it, "123456" is the most commonly used password of 2017, followed by "password" in the runner-up spot. SplashData releases their annual list of the worst passwords based on their collection of over 5 million passwords leaked by hackers, according to a Fortune article posted in December of 2017. Although the 2017 list has been out for a while, it hardly changes from year to year and the struggle to educate users on a good password seems to never go away.

How Often?
Another piece of the password puzzle that is open for debate is how often should we change our passwords. A little research will show that best practices have moved over the years from every 30 days to 90 days and most recently in a released document by the National Institute of Standards and Technology, are recommending the removal of periodic password change requirements. Is it better to never require a password change or require frequent password changes that lead to habits that ultimately make our passwords meaningless? We all know the quickest way to retrieve a password in an office or classroom setting is to first check for the sticky note under the keyboard or in the top drawer of the desk. One step better is when the password is written in Sharpie on the bottom of the keyboard, and if there is a requirement to change passwords often, the previous passwords are crossed out with the newest in plain sight.

Passphrase or Password?
Another practice that NIST recommends moving away from is complex passwords with multiple special characters and number combinations. Extending the number of characters to 64 and encouraging the use of a passphrase to make it easier for the user to remember a passphrase unique to them. I agree with the logic behind this recommendation, however, it must be accompanied with some basic rules to ensure that the passphrase isn't easily compromised by context clues around the user's desk or office. A quote on the wall or a sticky note with my favorite animal in the desk drawer can still be a give away for someone physically looking for a password.


CC BY-NC 2.0 Duncan C
Weakest Link
There are numerous studies that show people are the weakest links in cybersecurity breaches. Generic passwords, standard new user account passwords, not having a way to require global password changes, and the lack of password education are all areas that we need to address. Each area has its own unique set of challenges but starting with our organization's users will provide a strong front line of defense in the cybersecurity battle. Don't wait, have the conversation today!