Lock It Down: Password Security Do’s and Don’ts

Introduction to Passwords

The first computer password was introduced for use at MIT in 1961. Of course, this isn’t human beings’ first dalliance with the idea of a password, but this isn’t a history lesson. What this means is that the pesky password is here to stay for a while. But a password is often the weakest link in a security chain. We both love and loathe our passwords, and our obsession and reliance on them show in some shocking usage statistics.

The fact is, passwords are handy. From a computer programming perspective, they can be a pretty easy way to add an access control method (assuming you take care of the security). From a user perspective, they are neat — you only need your memory and a way to input the characters into a computer interface.

The Password Conundrum

In recent years, the way humans use passwords and advice given by bodies such as the National Institute of Standards and Technology (NIST) has given rise to conflicting views on how best to implement the use of passwords. For example, five years ago, it was common practice to force the use of specific character types, case type and special characters when choosing a password. You’ll remember the prompts at password setup:

Must Include:

  • 1 upper case letter
  • 1 lower case letter
  • A number
  • A special character %!&

Although we still see these types of policies applied, those days of stringent password creation control are gone. In their Special Publication 800-63B, NIST now strongly suggests that you do not force password policies at all. This is sensible if you think about. If a hacker is looking at using a brute-force attack against a system, showing them the requirements of that system is like handing them a template to a key. (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Susan Morrow. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/oeOWrFX1Ibc/