Network security password guidelines IT professionals have relied on for years are just plain wrong. You heard us: WRONG! Creating strong, complicated passwords and changing them frequently doesn’t protect organizations against cybersecurity breaches. This practice makes it easier for computers to hack and harder for humans to remember.
If your users use irregular capitalization, special characters, and at least one numeral when creating passwords, you have a problem with end-user security. If your users are mandated to change their “strong” passwords every 90 days, you gotta bigger cybersecurity problem.
Don’t just take it from us, this is according to the former National Institute of Standards and Technology (NIST) Manager. Ya know, the guy who wrote the original guidelines. As of August 2017, the former National Institute of Standards and Technology manager announced that his document, titled “NIST Special Publication 800-63. Appendix A” was incorrect. From this document, IT professionals have been led to believe that creating complex passwords and changing them often was a sure-fire way to have stronger network security. But, it has actually had the opposite effect.
“Much of what I did I now regret,” says Bill Burr, former NIST manager, who is 72 years old and now retired.
The ways to arm your organization against cybersecurity attacks have been updated… and start with your employees (who are often to blame for a high percentage of network security breaches).
The problem with complex passwords is that humans suck at being random.
Most users use the same exact strategies to change their easy-to-guess passwords into something complex. For example, changing “password” to “P@ssW0rd123,” which machines can still decode fairly easily. A popular xkcd comic explains this principle by comparing two passwords, “Tr0ub4dor&3” vs. “correct horse battery staple.” It’s important to remember that you should build passwords that are difficult for a computer to guess, not a necessarily just a human.
Also, by mandating changes to complex passwords so often, employees have found lazy workarounds to use the same easy-to-guess multiple times. Who hasn’t just added 123 or a special symbol to the end of a previously used password? Educate your users on the latest password information and follow the updated “NIST Special Publication 800-63-3”.
Strongly discourage employees from saving passwords in their default browsers.
As we wrote about in an earlier vBlog on end-user security, we demonstrated how easy it is to reverse-engineer passwords saved on a browser. (Hint: its frighteningly easy). Senior Technical Instructor, Mike Vasquez, hacked his own password on his Facebook account from a saved password in the browser. He did so without any special software and this technique leaves no trace that it was performed. All he needed was access to the computer for less than 5 mins. This hack can be used on most browsers and sites including banks, intranets, etc.
Not to mention even without this technique, if someone were to access an employee’s computer, all the passwords in the browser would be keyed up automatically and ready to use. Saving passwords in default browsers is not secure for a variety of reasons.
Implement a password management system and security expectation.
At a minimum, make sure that your password security expectations are laid out in an employee handbook. Consider everything from discouraging password sharing to how to build a great password. Only 41% of organizations have a formalized security policy included in their employee handbook. Encourage long passwords from the get-go as an expectation for all current and new employees.
Another solution would be to mandate a password manager of some kind. There are solutions that range from individual password management to corporate-wide password management. Examples of reputable corporate-level password managers would be LastPass or KeePass. These platforms work by collecting passwords used on various sites for recall but all passwords are protected behind a master password. Consider a solution that would allow for personal and work passwords to be managed separately. That way, the user still gets their ease of use from a password manager, but you maintain control of passwords in case of termination or breach.
Network security would be a lot easier without the users. However, they aren’t going anywhere anytime soon. So we’ve put together 14 other reasons why your employees are bound to screw up your best efforts in cybersecurity management. Don’t worry, we’ve also included some tips on what to do about it. Download it today!