There are some very smart hackers out there, many of whom have access to the latest techniques and exploits. But time and again, we’ve seen that attackers don’t need to deploy the latest and greatest because they can achieve their goals with older, basic techniques. Why bother with something complex, or why burn a new tool by using it on a low-value target, when simple things like reused passwords can get a hacker everything they need?
For example, suppose you use your go-to, easy-to-remember username and password at a mom-and-pop retailer,and hackers steal it. Or maybe hackers buy a block of username/password combinations on the black market. If you use the same username/password for your healthcare provider, a hacker can easily gain access to your most private and most valuable personal information.
We all know that we shouldn’t use the same password at multiple sites. We also know that we shouldn’t use the same password for work and personal accounts so a successful attack on our personal accounts doesn’t give the attacker a foot in the door to our corporate network.
But we also know that remembering multiple passwords is difficult, and best practices seem to change all the time. In fact, many of the standard password-protection schemes that we’ve become accustomed to have been deemed ineffective and outdated. That’s according to guidelines from the National Institute of Standards and Technology (NIST), which are based on the premise that ease of use is an essential component of effective security.
Do’s and don’ts of password protection
NIST recommends that companies and websites that verify credentials do away with all of the requirements that supposedly make a password more difficult to crack, but also make it more difficult to remember, such as capitalization, special characters, numbers, etc. Instead, NIST recommends long passphrases made of real words and encourages sites to allow people to enter as many as 64 characters in a single passphrase.
In addition, NIST says the common practice of requiring regular password updates should be discontinued because this has resulted in people choosing weaker passwords. Also, NIST calls for doing away with asking people to provide a “hint,” like the name of their first pet or mother’s maiden name, because hackers could gain access to that information.
NIST does recommend some additional measures, such as cross-checking a new password against a blacklist of compromised passwords and rejecting passwords that are on the list. Other criteria for rejecting passwords include repetitive or sequential characters or numbers, passwords obtained from previous breaches, and context-specific words, such as the name of the bank or the person’s own name.
Security strategies that work
The best way to handle multiple passwords is to use password manager software, which saves all of your passwords and remembers which password is associated with which web site, so you don’t have to.
Another positive trend is the increased use of multi-factor authentication (MFA), which typically means getting a random number sent to your phone or email address and then entering that number in order to access the site.
As users become more accepting of this type of authentication, it makes sense for companies to deploy access control systems that call for the appropriate MFA level, depending on the specific circumstance – for example, an employee trying to connect from an unusual location.
And since we know that it’s the basic security mistakes that come back to bite you, companies need to make a renewed push to educate employees on security best practices, including password protection and how to avoid phishing attacks.
This article originally appeared on DXC.technology and is republished by permission. DXC Technology is an SAP platinum partner.