When is the last time your organisation updated its password policy or sent out guidance to employees around creating safe and secure passwords? It’s been a year since we last updated our guidance on creating safe and secure passwords, so we thought it’s about time for our 2020 edition of “how to keep your accounts secure”. Specifcally, we’ll be looking at current best practice for creating passwords & passphrases and how to leverage multi-factor authentication.Read more
Just a few years ago, if you asked someone how to create a safe password, most people would all say the same thing: Use a mixture of upper- and lower-case letters, symbols and numbers so that it’s too complex for hackers to guess, and you should be safe.
Fast-forward to 2019, however, and you will find more and more people recommending that you use a ‘passphrase’ instead. But what is a passphrase, and why are experts all recommending we use them instead of the traditional password?
There are two main reasons that passwords are becoming outdated – cyber criminals using increasingly sophisticated tools to crack them, and plain old human error when people create them.Read more
Another day, another data breach, it seems. On Friday, Quora became aware of an incident involving an “unauthorised third party” accessing data from 100 million users of the Q&A platform, and yesterday it began to notify users in an attempt to contain the incident. Quora Tweeted late last night, “We have discovered that some user data was compromised by unauthorized access to our systems. We’ve taken steps to ensure that the situation is contained and are notifying affected users. Protecting your information is our top priority” and directed users to a blog post with further information.
“It is our responsibility to make sure things like this don’t happen, and we failed to meet that responsibility”
– Quora CEO Adam D’Angelo
NIST is the US National Institute of Standards and Technology, and back in 2003, a password primer was written by one of its managers that put forward recommendations, many of which became the rules we have now. Special characters, mixture of upper and lower case letters, regular password changes – these have all been adopted into ‘best practice’ for password security since NIST made these recommendations. Now, however, these complexity guidelines and regular password changes have been repeatedly proven by experts to actually be less secure for companies, due to the work-arounds humans put in place to make remembering password easier. NIST thankfully have released their mistake and have provided updated best practice standards for password security. Why the sudden change of heart, you may ask? Well, over a billion passwords a year are breached by cyber criminals, and the data obtained shows that when presented with a long list of password criteria, people tend to try something basic first and then just tweak it until it fits. For example, ‘password’ becomes ‘Password1’, which may be more mathematically secure, but can be easily guessed instead.
Previously established guidelines are mostly being discarded, in favour of rules that simplify passwords for the user
No one looks forward to those mandatory password changes every few months, as it can be incredibly frustrating to constantly think of new passwords with the right mixture of capital letters, special characters and numbers. In fact, many people try to simplify the process by using a variation of their previous password – ‘Password1’ becomes ‘Password2’, and so on. In fact, the entire basis for issuing new guidelines stems from one simple fact; people can’t remember all the passwords that they have been forced to create, ultimately causing them to create less secure passwords than if they didn’t have to adhere to the guidelines in the first place. So with all that in mind, here’s a breakdown of the new best practices and why they’re easier and more secure: