As Password Fatigue Sets In, New Guidelines Say It’s Time to Rethink the Old Rules
Passwords. They are just about everywhere today, from your work computer to online banking to online shopping to reading the New York Times. Try to do something online today without a password and see how far you get.
With the uptick in the number of apps, tools, and websites requiring logging in comes a kind of password fatigue. With the Internet came rules and various and complex guidelines for setting up user names and secure passwords, with the net result that people have to keep track of dozens if not hundreds of user name and password combinations.
Some websites and systems require periodic changes in the login (ok, let’s change from “password15” to “password 16” today), while others require unnecessary complexity (one capital letter, a number, a symbol, resulting in passwords that may look like this: “P!1assword”).
What most systems don’t do, however, is screen for commonly used passwords. Indeed, choosing a new password is as easy as “123456,” at least for some because “123456” has been the most frequently used password in the world several years running, which is followed closely by “password.”
However, following guidelines with frequent password changes often results in poor security. How do you think people remember all of these diverse bits of information? Just go into any office and look at the Post-It notes near the computer keyboard. Chances are you’ll see this month’s password for a highly-restricted system.
Slowly but surely, security experts are recognizing the failings of the current system. This week the National Institute of Standards and Technology issued a draft of new password guidelines that argues against periodic password changes and imposing password complexity.
Instead, the NIST wants companies to have their systems screen user passwords against commonly used, predictable, and compromised ones, so that users will be prevented from using “baseball” and “football” let alone “superman” and “batman” (all on the top 25 list by the way).
In addition, numerous companies are implementing multi-factor authentication, also referred to as two-factor authentication, which adds a second determinant such as facial recognition, fingerprint, or a one-time code sent to a mobile phone, to the process, thereby reducing the possibility to almost zero that someone could gain access to an account with a hijacked password alone.
Given the mobile nature of society today where people are logging into secure systems via insecure public Wi-Fi networks, it’s crucial to adopt procedures to protect access to one’s passwords. Following the aforementioned practices, using a virtual private network, using your smartphone’s data network instead of public Wi-Fi, only sending personal information to websites you know are encrypted, and using unique user names and passwords for each account are all things that any user can reasonably accomplish.
Finally, if your current favorite password is on any of the recent top 25 lists or even remotely resembles one on the list, change it. Now.
(Photo: Accura Media Group)