Getting passwords right for you and your business

Chances are you’ve never heard of the National Institute of Standards and Technology (NIST) Special Publication 800-63, Appendix A. But you’ve been using its contents from your first online account and password until today. That’s because, within it, you’ll find the first password rules such as requiring a combination of a lowercase and uppercase letter, a number, and a special character — and the recommendation of changing your password every 90 days.

There’s only one problem. Bill Burr, who originally set up these rules, thinks he blew it. “Much of what I did I now regret,” Burr told the The Wall Street Journal a few years ago.

Why? Because most people can’t be bothered to make significant changes when it’s time to update the password. For example, instead of “Abcdef1?” we change it to “Abcdef1!” then “Abcdef.” and so on and so on.

Because we hate these rules, we end up using totally lame passwords like “123456” and “password” instead. Any ordinary cracking program will take less than a second to break any of these. You might as well not use a password at all.

And, if you do it “right,” you end up with passwords that are fiendishly hard to remember. I can remember semi-arbitrary strings such as xkcd936!EMC2; most people can’t.

Instead, both the NIST and cartoonist Randall Munroe have a better idea: Use passphrases instead of passwords. A passphrase, such as “ILoveUNCbasketballin2021!” is both easy to remember, and even though it contains real words, it’s relatively hard to crack.

Still, since every service in the world now requires a password, we often use the same passwords over and over. Easy to remember? Yes. Easy to break once any site’s passwords are cracked? Even more so. The 2019 Collections data breach revealed more than 2.19-billion email addresses and their associated passwords. With a new security breach happening almost weekly, it’s not “whether” your passwords will be revealed, it’s when. 

“Not you?” Ha! Do yourself a favor and check your email ID with the HaveIbeenPwned service and prepare to drop your jaw. I’m supposed to be a security expert and my main email account has had passwords revealed in 27 — count ’em 27 — data breaches.

So, while using passphrases instead of passwords is nice, it’s not enough. I’ve got two other recommendations for you and your employees.

First: pick a corporate standard password manager and require all your employees to use it. This gives you two advantages. Most can automatically generate long arbitrary strings, and secondly, your people never have to remember anything but one master password; the program keeps track of all the others.

Which password manager? I’m fine using Google Chrome’s built-in password manager for everything that runs via a web browser. But I know not everyone trusts Google.

On the opposite side of the so-easy-to-use-it’s-almost-invisible baked-in manager in Chrome, there’s the open-source KeePass. With this, you keep the passwords on local machines (which has its own problems for corporate security) or on a cloud service. KeePass requires expert administration to work well, but if you’re already using Linux as the foundation for your IT department, your staffers are probably up to the challenge.

Finally, I also like LastPass. This is probably the most popular password manager. That’s a mixed blessing. It has so many users because it’s simple and keeps everything on its own cloud service. That’s the good news. The bad news is it’s so popular it’s often targeted by hackers.

The crooks have only broken into LastPass once, in 2015. Even then, the hackers didn’t make it into customers’ passwords. Since then, LastPass has improved its internal security.

Could LastPass — or any of the others — be cracked? Of course. Security isn’t a product, it’s an eternal struggle. But any password manager used correctly will go a long way to securing your systems.

Finally, passwords alone aren’t enough. You really need to adopt two-factor authentication (2FA) to protect your company. With 2FA, you’re required to have two out of three kinds of credentials to access an account. These are:

  • Something you know or can be given; this is commonly known as a one-time PIN.
  • Something you have, such as a secure ID card or a hardware security key.
  • Something you are, which includes biometric factors such as a fingerprint, retinal scan, or a voice print.

There are three basic ways to do this. First, you can use a 2FA program that generates a PIN, which is then sent to you via a text message. While that’s easy to use, if someone really wants to break into your accounts, chances are they can. NIST now recommends you don’t use text-based 2FA.

Next up is to use a 2FA program to generate PINs. Commonly, 2FA authenticator apps are both helpful and safe, and you can run these on your smartphone without the dangers of SMS. Popular options include Authy, Google Authenticator, LastPass Authenticator, and Microsoft Authenticator.

Finally, if you really want to lock down your people’s accounts and computers, use 2FA hardware. You can buy these devices for between $20 and $60. Some of the best are Google Titan Key, Kensington VeriMark Fingerprint Key, Thetis Fido UCF Security key, Yubikey 5 NFC, and YubiKey 5C. Just plug them into the computer, and your employees are ready to go.

Is this a lot more trouble than writing down passwords on a sticky note on your PC? Yes, it is. But it’s also much safer — and between password managers and 2FA applications or devices, it’s not hard to do.

Me? I want my company’s data to stay safe in my hands and not in Joe Hacker’s paws.

Next read this: