Password guidelines supplied by NIST (The National Institute of Standards and Technology) have changed. The current password complexity rules require an uppercase character, lowercase character, numbers, and symbol that would need to be changed every 90 days. The issue with this guideline is that people have a hard time remembering these passwords and would write them down (Security violation because unwanted people could gain access to sensitive information) or incrementally change a number or character to essentially keep the password as close to the original as possible. This would cause a headache with many system administrators because of constant resetting of passwords and cause a security gap with end users who would employ easy modifications to stay within password complexity rules.
This has changed. It is hard for people to remember a complex sequence of characters. NIST has revised these guidelines to provide better security yet easier password management.
This has been removed in favor of using a string of words. Words are easier to remember and can be created into a mnemonic. For the recent past, the longer the password the more secure it is and this definitely holds true; take a look at the following password.
G00dP@ssW0rd = 12 Characters. While definitely a password that meets strong complexity requirements by today’s standards, average end users may find it difficult to remember which characters to substitute with other.
PineAssortedStyleSheets = 23 Characters. With the old rules, this would not be a viable password. However, many computers today run password crackers against a dictionary or by simply trying every possible combination of characters until it is broken. The longer the password, the longer it takes to break. This example has almost double the amount of letters but it will take magnitudes longer to try and crack from a time standpoint. It is also easier to remember when you string together words that are easy to remember.
Passwords were recommended to be changed monthly for some businesses and up to 90 days for others depending on the level of password changes their IT Department required. This has been changed to only be updated whenever there is a security breach. If a password is secure, keep and use it. If it gets compromised, change it for a new secure password.
It is recommend for System Admins to double check passwords against compromised ones to ensure compliance. It is a good idea to make them longer than 12 characters but make sure it isn’t any single word as a dictionary attack can and will crack it.
CyndrTec Administrators can be your IT Management and Security. Passwords are the easiest security to implement into your business or home network and with these new rules and guidelines, it will make enforcing strict password policies and guidelines simpler and easier. Ask us today how CyndrTec can be “Your IT Foundation”!