CISOs are starting to transition their organizations to passwordless environments. However, for the time being, passwords will still be around. So here’s some advice from the U.S. National Institute of Standards and Technology (NIST) and others on how to create and manage passwords that protect users from, well, themselves – and from the fate of our friend in the video:
First, have a password policy. That includes setting the minimum length and what cannot be in a password (for example, the user’s name, the organization’s name, the name of the organization’s products).
It will help to have a list of prohibited passwords (the usual ones — 123456, qwerty, any dictionary word, passwords commonly found in known data breaches) that a login application can automatically reject.
Encourage staff to choose easier to remember passphrases rather than passwords. To help them, allow passwords/phrases of at least 64 characters in length.
Experts are divided on two crucial pieces of a policy:
- whether passwords should include numbers and special characters. Some, including NIST, say a long easy-to-remember passphrase is better than a 10-character scrambled password;
- whether passwords should be regularly rotated. Some say a long password should eliminate the need to regularly change passwords for all but those with high access privileges.
Clearly tell staff how to create and change memorized secrets (aka passwords), NIST says. And provide clear, meaningful and actionable feedback when newly created passwords are rejected as inadequate.
Even if passwords have to be used, they must be strengthened by two-factor authentication. And the second factor should be delivered through an authenticator app and not an easily-intercepted SMS text.
Second, make sure the help desk has tough a verification policy for anyone who wants to change their password or any identifiable characteristic, such as the phone number to which 2FA codes are sent. That may mean answering a secret question or having a PIN number on the account that is separate from the PIN number on their smartphone.
Employees allowed to bring their own devices need to protect themselves by having a PIN number on their carrier’s account as well.
Third, consider getting an enterprise-grade password manager that employees must use so they don’t have to remember passwords/passphrases. There’s nothing wrong with writing passwords down, says Microsoft. Just don’t keep them in a place where the list can be stolen (like a sticky note on your computer monitor).
Rather than writing down a password, let staff write down a hint that reminds them of what the password is. So if a password is “Paris4$pringVacation” they could write down “Your favorite trip.”
Finally, tell staff that it’s not only important to choose safe passwords for work, but for their personal applications as well. They’ll appreciate your concern is broader than the organization; you have their personal safety in mind too.