With the ever increasing threat to security by cybercriminals we need to be ever more vigilant in protecting ourselves. Therefore, we are adopting and suggesting the NIST guidelines for passwords to all of our clients. NIST develops and maintains an extensive collection of standards, guidelines, recommendations, and research on the security and privacy of information and information systems.
Following their guidelines we are now recommending the following when creating your password:
- A minimum of eight characters
- The use of special characters is not required
- No sequential and repetitive characters (e.g. 12345 or aaaaaa)
- No context specific passwords (e.g. company name or abbreviation, office location, etc.)
- No commonly used passwords (e.g. p@ssw0rd, qwerty, etc.)
- No passwords that have previously been breached
In line with Microsoft recommendations, we’ll also no longer be requiring passwords to be changed on a periodic basis – something we’re sure will be met with a lot of relief. Periodic password expiration is a defense only against the probability that a password might be stolen. If a password is never stolen, there’s no need to expire it.
Length is one of the most important factors toward making a password secure, so we recommend using a password phrase. A long, nonsense to others, but something that makes sense to you phrase that’s easy to remember – but hard to brute force!
To put things into perspective, a reasonable computer can brute force up to 8,031,810,176 passwords in under a minute. That’s every lower case, 7 characters or less password cracked! Put that fancy GPU in your design machine to the task, and it’ll be even faster!
We’ll be rolling out tooling to our clients to ensure passwords are meeting these requirements and provide increased security. For some clients, due to business requirements your password policy may be more strict – please consult your IT Acceptable Use guidelines to confirm.