***Please Note - Updates were added to this post on 2/28/18 (Bottom) in regards to where common sites are in their password policies.
Ok friends. Let’s get into it. In part 2 we’ll cover passwords. Simple, I know, but VERY important so take some time to read the post below. Notice- this post is geared towards business – most of this applies to the personal user as well, but we’ll get more into that in another post.
I tell everyone the story of my first Boss. I was working for a small CPA firm in the Midwest and it was just after the transition from 4-column (look it up millennials) to what we called “Professional Entry” meaning that every employee had a computer on their desk.
My Boss, the CEO, came up before then, and was vehemently against computers – at least using them.
We were using Windows XP and Novell Netware at the time, and from time to time a technician would need to access the CEO’s computer. From the inception of the network, his password was always his initials. When I came onboard, I started to require frequent password changes. This caused issues for the technicians, but never in the CEO’s instance. He would just add a number after his initials each time. A tech who could do quick math and figure out his password and – voila – they were in the CEO’s computer, as the CEO and had complete access to each system in the environment.
Of course, one of my first objectives was not only to implement more complex passwords, but to set rights of systems based on employee role / requirements.
We all take passwords lightly – I do it myself. Every website, every computer, every system requires a password. They are a nuisance. We just want to buy our pizza or check our email without having to remember the latest password and the weird spelling of our child’s name that we used this time.
But what do passwords really protect? They protect our identities, our money, our children, our memories. Passwords, if used correctly can ensure that I, myself am the only one who has access to my digital footprint in the world.
NIST (National Institute of Standards and Technology) and HIPAA regulations are changing and I love it. I tracked it last week. In 1 day of work, I typed passwords into 12 different systems 48 times. I have systems for my passwords and have developed a system to minimize the “forgot password” option, but I’m not the norm.
A few of the highlights include:
Minimum of 8 characters, maximum of 64.
NOT requiring complex passwords (one letter, one number, on special character, one capital and one punctuation required).
NOT requiring frequent password changes. Only force users to change their passwords when there is a potential issue or a major management (including IT) change.
Yeah, that’s right – NIST / HHS have completely changed the model most IT Administrators have been using for the last 10 years!
The point is to not make it difficult for the user to remember, allowing a paraphrase instead of a strange word or string. Instead of “Bl@ckb1rd!”, NIST is recommending a phrase as in “BlackbirdSingingInTheDeadOfNight” – Yes those are both bad passwords but I’m illustrating the point.
We all know, the more complex a password, the harder it is to remember, so we cheat. We write them down or change just one character when required, thus COMPLETELY defeating the purpose!
So, what is recommended in laymen’s terms?
First, Educate your users. Don’t just stick them with an initial password and then ask them to change it to something they know. Make Cyber Security a part of your employee onboarding process, as well as part of your annual training schedule. Instruct them on what you recommend and why, and lead them to a strong, secure password that no one but themselves could ever remember.
Second, Implement the policy. 8-64 Characters required. Don’t require complex passwords, don’t require frequent password changes. This is simple if you have a server (check with your IT Provider)
Lastly, encourage users to keep their personal passwords and work passwords separate. The password you use to login to your corporate systems should NOT be the same as your Amazon or Starbucks passwords.
Gmail has adopted this new password policy. Their policy includes: "Passwords can contain any combination of ASCII characters and must contain a minimum of 8 characters. First and last names support unicode/UTF-8 characters, with a maximum of 60 characters. Periods (.) are not ignored" Passwords do not expire
Yahoo.com has adapted the length, but still requires complex passwords. Passwords do not expire
Cyber Security and Data Breach Protection is not hard, but an industry that changes daily requires experts who stay up to date on emerging threats and technologies to be sure that you are not one of the statistics above.
Please review the forthcoming posts, check out our Facebook or twitter account and share this information with your circle of influence. Better yet, if you are serious, give us a call and we can get you up to speed in less than an hour and help you develop a plan on protection and reaction.