Here’s why you still need a strong password and still should change it periodically…
For the past week there have been news stories about how the creator of the commonly accepted standard for passwords now regrets his advice. On August 7th 2017, Mr. Bill Burr gave an interview to the Wall Street Journal. Mr. Burr was the author of the 2003 US government document advising people to create complex passwords and change them frequently. Those standards have long been the ones the IT industry recommended. In the Wall Street Journal interview, Mr. Burr now states that was an error he regrets. He says that advice was too hard for people to follow and therefore they ignored it and further it was extremely frustrating and inconvenient for everyone who did follow his advice.
He now recommends having a long password (or passphrase) without requiring numbers, special characters, or changing letter case and that you not be required to change it except occasionally in the case of a known breach. He believes that a single long passphrase which a user can easily remember and not be forced to change is the best way to get users to have strong passwords. His theory is that if you can get people to come up with a long (therefore unbreakable) password and allow them to stick with it, then more people will do it and the overall level of security will rise for everyone.
No More Regular Password Changes, right?
So, now ENTRUST clients are asking us if they can go back to using “simple” passwords and skip the regular change cycle.
For the past few years, we have been recommending a long “passphrase” of about 12-16 characters as the standard. Complexity (different cases, numbers, special characters) are optional. Longer is fine, shorter is not. A long but easily remembered passphrase like “myfavoritecolorispizza” (22 letters) is virtually unbreakable even without any complexity at all. This advice corresponds perfectly with Mr. Burr’s new recommendation regarding password length vs complexity.
However, we still advocate for periodic password changes.
- Mr. Burr recommends changing your (long) passphrase only after a known breach. However, many breaches go undetected for weeks, months, or years. Witness the Yahoo breaches that occurred as far back as 2012 which were not revealed until 2016! So, it’s important to periodically change your password just to protect yourself against breaches you don’t know about.
- There is always some small level of “leakage” of passwords. Someone watches you type your password and figures it out. You share your password with someone you trust (spouse, administrative assistant, co-worker) for a legitimate reason. Those “leaked” passwords should not be valid forever. A periodic change makes those “leaked” passwords useless once you make the change.
So, how often should you change your password? That depends upon the nature of your environment (business) and the associated risks. If you are in a highly regulated industry such as health care or finance where the penalties and costs for breaches can be very high, then changing your password every 90 days still makes sense. Furthermore, the governing entities who oversee compliance have not yet changed their standards and still recommend 90 day password change cycles. So, to remain compliant you may need to keep to that cycle. In a less sensitive environment (a typical small business) and if you enforce the long password requirement, then perhaps you can get away with only changing your password once or twice per year.
How “Long” is “Long Enough”?
So now you wonder, how long do I need to make my password today?
Our current advice of at least 12 characters still stands as long as you don’t include personally identifiable information within it. Past breaches of hundreds of millions of accounts at places like Adobe, Yahoo, LinkedIn, and others give attackers a leg up on attacking you. Attackers can use that now publicly available information (giving them clues to how you create passwords). So, don’t use your name or birthdate or street address within your password! If you do, then you need to make it longer still.
In the past few years, however, the freely available hacker tools have made it easier to break 12 character passwords although by no means “easy”. 14 characters is now the lower limit if you want to make your passphrase truly difficult to crack.
Do we still recommend two-factor authentication?
So, given the safety a long password should provide, do we still recommend the use of two-factor authentication that requires something like a secondary access code sent via text message or email or on a synchronized “token” device?
In short, YES, we still recommend two-factor authentication at least for internet facing devices. So if you have a server that your employees access directly across the internet, then we still recommend requiring a 2nd authentication method such as DUO to access through that device. This ensures that even if there is password leakage, attackers still cannot penetrate internet facing devices without also gaining control over the 2-factor device (smartphone, token, email account).
The ENTRUST Password Policy in 2017
So, in short, here is ENTRUST’s official password policy recommendation for businesses:
- Require all users to have a long passphrase of at least 12 letters (14 or more is better) that is easy to remember and complexity is a bonus but not required. Do not use personally identifiable information in your passphrase unless you make it really long.
- Require all users to periodically change their passphrase
- High risk and highly regulated industries should continue to require change every 90 days
- Otherwise, require changing only every 6 months or 1 year, only so long as you are enforcing a long passphrase.
- Avoid using the same passphrase everywhere. You don’t want a breach at one place (like LinkedIn) to suddenly reveal to hackers your passphrase to your bank and your office network!
- Continue to require two-factor authentication for devices that are exposed to the public internet
Following these guidelines will help make you as safe as you can be in 2017.