Strengthen Passwords

Passwords are a continual problem.

We rely so much on them to secure our company systems, our secrets, our customers’ private information, and yet we typically leave it in the hands of our staff to choose their passwords safely.

That’s why passwords like “123456”, “qwerty”, “abc123”, “letmein”, “qazwsx”, “iloveyou”, “trustno1” and, yes, even “password” are so common.

Those are obviously all terrible passwords and yet they’re horrendously typical choices for users.
However, most users balk at the idea of coming up with a unique, nonsensical jumble of characters to secure their accounts.

One thing you can do to try to reduce the chances of users choosing poor passwords, is to build appropriate rules that are required to be met for a password to be deemed acceptable.

The US National Institute of Standards and Technology (NIST) have taken on this challenge, and are developing proposed improvements to password requirements. The hope is that the proposed guidelines will be adopted as a template by organisations and developers outside of the US government.

According to NIST, these are some of the things you can do to improve your passwords;

Minimum length - NIST says passwords should be a minimum of eight characters long. Note that that’s not a definite minimum, more sensitive accounts may require a larger minimum length for passwords.

Maximum length - If there has to be a maximum length limit for a password at all, it should be no less than 64 characters. Adopting a maximum length limit of no less than 64 characters encourages users to choose a memorable pass phrase rather than a password.

No banned characters - NIST says that all characters should be allowed in a password. You can even use UNICODE characters if you wish, which will no doubt please those addicted to their emojis.

No common passwords allowed - Applications and websites should check proposed passwords against a dictionary of commonly-used and known bad passwords. No more “password123”, “il0veyou”, or “baseball”.

No password hints - The problem with password hints is that they weaken authentication. “Rhymes with farce-word”. If you don’t allow users to store a password hint, there is no chance that it will be accessed (and abused) by an unauthorised party.

No periodic password changes unless evidence of compromise - Many think it’s a good idea to regularly change your passwords, but evidence suggests that it leads to poorer password choices by users. Of course, if there is a good reason to change a password then the password should be changed.

NIST’s password requirement proposals still require final approval, but the hope is that they will pass sooner rather than later.

And if other organisations outside the US federal government adopt the guidelines for their own password requirements that has to be a good thing for the security of all of us.