Password security has been a hot topic for a long time. That is because passwords stand as the most commonly used tool to keep unauthorized individuals out of accounts and files. However, as technology changes and hackers adapt their methods to keep up, what was once considered best practices can change as well. That is why users need to keep up with the latest password advice. Today’s recommendations may evolve again in the near future, so staying up-to-date with the latest best practices is key to ensuring data is safe.
New password advice from top experts in cybersecurity updates how individuals should manage their password practices. For example, the “password” has fallen out of favor with some major corporations, like Microsoft, and law enforcement agencies, like the FBI. Instead, using the more descriptive and secure “passphrase” is recommended. Also, the once “golden rule” of changing passwords frequently—and requiring routine forced resets—has now been updated to reflect why this is not necessarily the best security habit.
First, a passphrase is a much longer security tool. Studies have found that a password’s “guessability” by hacking software decreases exponentially with every additional character. The six-to-eight characters guideline for passwords has been replaced with the recommendation of a nine-to-ten character passphrase. A passphrase, unlike a single word or acronym, is a short combination of words that mean something to the user. It can make the user more likely to create unique logins for every account they own instead of reusing a single password on multiple accounts. Common, strong passphrases could be things like the name of a favorite song, a movie quote or a favorite team cheer, such as “BoddaGettaBoddaGetta” or “HookEmHorns.”
Replacing a password/passphrase routinely has also been shown to have a downside. When users are forced to change a password/passphrase, they often simply alter just one character. For example, passwords such as “doghouse1” become “doghouse2,” which makes it easier to guess during attacks like credential stuffing.
Experts warn that passwords/passphrases should contain a combination of uppercase and lowercase letters, numbers and symbols. However, that password advice has also been re-examined. The likelihood of a user establishing and remembering a complex combination for every single account is not very high. However, creating a unique passphrase for every account is both more secure and a more likely practice.
Some of the password/passphrase advice has not changed. It is still important to create different passphrases for every account—meaning a separate phrase for every account—and to enable multi-factor authentication when possible. It is also important to avoid any passphrase similarities between work and personal accounts and not share login credentials with any unauthorized users.
As with all technology-related practices, the most important thing for users is being adaptable and able to evolve as the ecosystems change to address exploits. Microsoft, for example, has introduced three different methods for a no-password logon and has reported a lot of success. Keeping up with security findings and fitting them into daily use is a valuable way to protect valuable data and users’ identities.
If anyone has questions related to cybersecurity or password best practices, they can talk to one of our advisors via LiveChat by visiting our website, www.idtheftcenter.org.
You might also like…