You may not have heard of it National Institute of Standards and Technology (NIST) Special Publication 800-63, Appendix A.. But you have used its contents from your first online account and password to this day. This is because it includes the first password rules, such as requiring a combination of lowercase and uppercase letters, numbers, and special characters, as well as recommending that you change your password every 90 days.
There is only one problem. Bill Barr, who originally set these rules, thinks he blew it away.. “”Much of what I did now regrets,“The bar said The· The Wall Street Journal years ago.
why? This is because most people can’t bother to make significant changes when updating their passwords. For example, change “Abcdef1!” Instead of “Abcdef1?”. Next is “Abcdef”. etc.
I hate these rules, so in the end Completely incomplete password Instead, like “123456” or “password”. A typical cracking program takes less than a second to break any of these. It’s best not to use a password at all.
And if you do it “correctly”, you end up with a very hard-to-remember password. xkcd936! Remember semi-arbitrary strings such as EMC2. Most people can’t.
Instead, both NIST and cartoonist Randall Munroe have better ideas. Use a passphrase instead of a password. Both passphrases, such as “I LoveUNC basketballin 2021!”, Are easy to remember, and even if they contain real words, they are relatively difficult to break.
Still, all services around the world require a password, so you often use the same password multiple times. Easy to remember? Okay. Is it easy to break if the site password is cracked? Even more so.The· 2019 collection data breaches Over 2.19 billion email addresses and associated passwords have been revealed. New security breaches occur almost every week, so it’s not whether the password will be published, but when it will be published.
“Isn’t it you?” Ha!In favor of myself Please check your email ID Prepare to drop your chin using the HaveIbeenPwned service.I should be a security expert and my main email account has a password revealed in 27 years — Count’days 27 — Data breache.
So while it’s good to use a passphrase instead of a password, that’s not enough. There are two other recommendations for you and your employees.
First: Select a corporate standard Password manager Then ask all employees to use it. This has two advantages. In most cases, you can automatically generate any long string. Second, the user does not have to remember just one master password. The program keeps track of everything else.
Which password manager?It’s okay to use Google Chrome built-in password manager Everything that runs through a web browser. But I know that not everyone trusts Google.
On the other side of Chrome’s very easy-to-use, almost invisible burn manager is open source KeePass.. This keeps the password on the local machine (which has its own security issues) or in the cloud service. Professional management is required for KeePass to work well, but if you’re already using Linux as the foundation for your IT department, your staff is probably tackling the challenge.
Finally, I also like LastPass.. This is probably the most popular password manager. It’s a mixed blessing. It’s simple and keeps everything in its own cloud service, so it has a huge number of users. That’s good news. The bad news is that it’s so popular that it’s often the target of hackers.
Scammers broke into LastPass only once in 2015. Still, the hacker did not break into the customer’s password. since then, LastPass has improved internal security..
Is it possible for LastPass (or any other) to crack? of course. Security is not a product, it is an eternal struggle. However, a properly used password manager can greatly help secure your system.
Finally, passwords alone are not enough.You really need to hire Two-factor authentication (2FA) To protect your company. If you use 2FA, you need two of the three types of credentials to access your account. these are:
- Something you know or can give. This is commonly known as a one-time PIN.
- What you have, such as a secure ID card or hardware security key.
- What are you, including biometric elements such as fingerprints, retinal scans, and voiceprints.
There are three basic ways to do this. First, you can use a 2FA program to generate your PIN. This program is sent by text message. It’s easy to use, but it’s possible if someone really wants to break into your account. NIST is now We recommend that you don’t use text-based 2FA..
Next, use the 2FA program to generate the PIN. In general, the 2FA Authenticator app is convenient and secure and can be run on your smartphone without the danger of SMS.Includes popular options Authy, Google authentication system, LastPass Authenticator,and Microsoft Authenticator..
Finally, if you really want to lock down your account and computer, use 2FA hardware. These devices can be purchased for $ 20 to $ 60.Some of the best Google Titan Key, Kensington VeriMark fingerprint key, Thetis Fido UCF Security Key, Yubikey 5 NFC,and YubiKey 5C.. Simply connect them to your computer and your employees are ready.
Is this much more annoying than writing down the password on a sticky note on your PC? Yes, it is. But it’s also much more secure — and between password managers and 2FA applications or devices, it’s not difficult to do.
I? I want you to keep your company data safe with your own hands, not Joe Hacker’s feet.
Read this next:
Copyright © 2021 IDG Communications, Inc.
Get the right password for you and your business
Source link Get the right password for you and your business