7 Password Rules

The experts at NIST have created a simple Cybersecurity Basics page[1] that takes technical information down to a set of guidelines for small business owners and managers. For a simpler, more practical collection of guidelines, try the Secure Our World website, https://www.cisa.gov/secure-our-world run by the Cybersecurity & Infrastructure Security Agency (CISA). It is targeted at an audience of consumers without a technical background, which makes it a good source of information you can share with friends and family to help them deal with common threats.[2]

See: https://redskyalliance.org/xindustry/password-security

The following is a list of seven rules to follow when it comes to passwords.

Make sure all your passwords are strong enough -

What makes a password strong?

It is long enough at least 12 characters, and ideally more.
It is random, with a mix of upper- and lower-case letters, numbers, and symbols that are not found in a dictionary and don't include any part of your name or the name of the service they unlock.
It is not easy to guess.

Of all those factors, experts agree that length is the most important. In fact, the experts at NIST say that recent analyses of breached password databases show that having a longer password is far more important than trying to make it complex. Passphrases made up of three or more unrelated words separated by symbols and numbers can be effective as well.

Use a password manager -

The average person has dozens of passwords. An extremely online person might have hundreds of credentials. No human can memorize even a handful of long, random, unique passwords. This is why you should use a password manager, which offloads the work of creating unique, impossible-to-guess passwords and saves them in a secure, encrypted enclave.

Technically, a pen-and-paper notebook can do part of that job. A software-based password manager does so much more: it instantly creates truly random passwords, saves your credentials in an encrypted database, and syncs everything across multiple devices.

The most important layer of protection, though, is one that is not immediately obvious. Your password manager knows which domain (or domains) are associated with a saved set of credentials and will not enter a password on a domain that is not authorized. If a skilled attacker crafts an email that fools you into thinking it is from your bank or broker, and you click a link that goes to a fake domain, the password manager will refuse to enter your credentials.

Never reuse a password -

It is a natural human instinct to have a favorite set of credentials (username and password) that you reuse on multiple sites. That makes things easier to remember, but it also ensures that a data breach at one site will give attackers access to that set of credentials, which they will in turn try on other sites that were not affected by the breach.

A good password manager should flag reused passwords and offer to create strong, unique replacements.

Simply tacking an exclamation point or a number on the end of your old password does not qualify as creating a new password. Neither does creating a new variation of one of your commonly used passwords.

Avoid password hints -

The whole idea of a password hint is that it's made up of some word or name or date that is meaningful to you. That kind of password is easy to guess, and adding a password hint makes the job even easier for someone who wants to break into your accounts. The best password hint is four words: "Check your password manager."

Change default passwords -

One of the most insidious ways for attackers to break into a home or business network is to go through a device on that network, using vulnerabilities in its management interface. That could be your Wi-Fi router, for example, with its default password that's often just password. IP-based cameras and doorbells you install as part of a home security system are also possible entry points.

If you have any of those devices on your network, replace those default passwords with more robust credentials.

Use multi-factor authentication whenever possible -

No matter how strong you make your passwords and how carefully you try to protect them from being compromised, breaches happen.

The most effective protection is to ensure that no one can sign in to your accounts on a new device unless they can provide a second form of identification, ideally using an authenticator app on a device you own. (Codes sent to your phone using SMS are an acceptable option but are at greater risk of being taken over by a determined attacker.)

If you do not have to 2FA all the things, you should insist on a second factor for high-value accounts such as email, banks, and brokers.

Do not change your passwords unless you must -

Experts agree that changing passwords regularly isn't necessary, and that organizations requiring users to change their password for no reason are making their networks less secure.

People who are forced to change passwords regularly are likely to choose a weak, easy-to-guess password. If you have chosen a strong and unique password, there is no need to change it under normal circumstances.

When should you change your password? You should replace a password if it is weak or if it is a duplicate of one you use elsewhere. You should also change any password at the first hint that it has been compromised as part of a data breach.

If your IT department or an online service insists on forcing a password change, you should do as they say. Just let your password manager create the longest, strongest password that meets their demands.

This article is shared at no charge for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com

Weekly Cyber Intelligence Briefings: