Out with the old, in with the new: A rehaul for outmoded password procedures
Ashlee Aleshire-Ash, Senior IT Support Specialist, Bankers’ Bank of the West
Posted August 2019
From the inception of security for technology, we’ve been urged to change our passwords regularly. The common advice was to make the password complicated, nonsensical, and (most importantly) something nobody else could guess. That is now changing: Recently, many organizations—Microsoft and the National Institute of Standards and Technology among them— have released statements indicating current password procedures are obsolete and in need of an overhaul.
Before, the guideline had been to change your password every 90 days. That password had to be no fewer than eight characters long with at least one uppercase, lowercase, number, and special character. Now we’re being advised to change passwords only when a breach occurs.
From an IT perspective the new recommendations might seem dangerous, but there are some stipulations to add layers of security. First, passwords should always be checked against a blacklist of known passwords. (Also, by now it should be obvious that using “pass word” in your password is not best practice.) Second, use all characters available, including the space. Third, password length should be anywhere from 8 to 64 characters long. Fourth, use a second factor for authentication.
To clear up any confusion the previous sentence might have caused: Multifactor authentication takes something you alone have and turns it into another way to authenticate with a system. The simplest form is the RSA token. In recent years, smart innovators have applied the idea behind an RSA token to creating an app for your phone—something you’re likely to always carry with you.
Changing passwords is nobody’s idea of a good time, but don’t camp outside your friendly neighborhood IT person’s door with pitchforks just yet: These things will take time to implement. Many websites already have no limits on password age, and yet business systems will be slow to follow for a variety of reasons. The best advice I can offer is this: Multifactor authentication is the way of the future. Be ready for it.