The US National Institute of Standards and Technology (NIST) has issued new guidelines for password security that turn accepted wisdom about creating long strings of letters, numbers, and symbols on its head.
NIST, a non-regulatory federal agency within the US Department of Commerce, issued the original advice in 2003 that became the global standard for password security. But it now says the advice led people to create predictably ‘complex’ passwords in a bid to remember them, which made them more vulnerable to hackers.
Instead, now the NIST recommends:
- Don’t arbitrarily mix letters, numbers, and symbols to make a password. Instead, create passwords that are more memorable.
- Single dictionary words, the user’s street address or numeric sequences such as 1234567 should not be used.
- Organisations should screen the strength of their passwords against those used in cyber criminal dictionary attacks; a method of breaking into a password-protected computer or server by systematically entering every word in a dictionary as a password.
- Stop frequently changing passwords, for example, each month, as it leads to poor passwords being created.
If your password or PIN is captured, guessed or stolen, an attacker can potentially:
- send emails from your accounts
- withdraw money from your bank accounts
- change files on your computer,
- pretend to be you.
Passwords and PINs should be a secret known only to you. Strong passwords are difficult to guess and should be at least 16 characters long.
Make passwords easy to remember
- Think of a pass-phrase that is made up of a string of words, for example, ‘horsestapleshop’.
- Using strong passwords lowers overall risk of a security breach, but strong passwords do not replace the need for other effective security controls.
- Weak passwords are easy for a criminal to guess as they use automated software that can guess thousands of passwords per minute.
- It is always better to create and use a strong password, write it down and keep it safe than to use a weak password.
Practice password or PIN hygiene to keep them safe.
- Don’t use the same password for multiple services or websites.
- Don’t share your passwords with anyone.
- Don’t provide your password in response to a phone call or email, regardless of how legitimate it might seem.
- Don’t provide your password to a website you have accessed by following a link in an email – it may be a phishing trap.
- Be cautious about using password-protected services on a public computer, or over a public wi-fi hotspot.
- If you think your password may have been compromised, change it immediately and check for any unauthorised activity. If the same compromised password has been used on another site, create a new password there as well.
Treat PINs in the same way you would a password
- Don’t use obvious patterns like 1234, 4321 or 7777.
- Don’t use postcodes, birthdays or other significant dates and numbers.
- PINs should be a random mix of numbers, characters, and letters where possible.
Use a password manager
You can install a password manager on your computer, smartphone or tablet. It will generate and remember secure passwords for you and some password managers will sync between your devices. The downside is that if the password manager is breached, all your information is accessible. So create one memorable password using these guidelines for your password manager.