Other issues in this category (69)
A password is more than just a word
No matter how much we talk about the need to use strong passwords (including those that control access to the Dr.Web Anti-virus settings) and to change them periodically, experience shows that users find this inconvenient, and they neglect our recommendations.
New standard NIST SP 800-63 Digital Identity Guidelines provided by a credible American organisation aim to help users and administrators of different services find a balance between convenience and security.
It is interesting that the standard directly declares that imposed security levels do not lead to a real increase in the level of protection. Password examples encourage users to choose passwords that are close to the sample. For example, if the sample is "Password", users are likely to choose "Password1" or "1Password". In the same way, it's dangerous to recommend code phrases (e.g., "What was the name of your first pet?") because a lot of information about our nearest and dearest is out there on the Internet, and computer capabilities allow hackers to crack weak passwords.
What is being recommended to you?
- Be sure to use passwords that are at least 8 characters in length (maximum—64).
- Second, it isn’t recommended to tell users how they should compose passwords (e.g., "your password must contain uppercase and lowercase letters..."). Compilers of the standard understand that very often users start storing forgettable passwords in electronic format, and as a result, cybercriminals can gain access to them. An innovation to this standard are passphrases: a sequence of words or other text. The long text makes it difficult to guess the password, and information included in a passphrase that is known only to the user makes it even more complicated to hack the password.
- Administrators should not require users to change passwords if the user does not want to or if there is no evidence of compromise.
- Passwords should include printable characters (ASCII [RFC 20]), including a space, as well as, Unicode [ISO / ISC 10646] characters, including emoji. The second part of this requirement essentially makes the password harder to crack.
We understand that the new standard will not result in a dramatic improvement of the password situation. Many services are unlikely to be able to immediately receive emoji, for example. That’s why, before the bright, new future of passwords gets underway, we recommend that you take password selection into your own hands:
- Use strong passwords of at least 8 characters in length.
- Do not use passphrases containing well-known information.
- Protect your anti-virus with a password that is different from the one that protects system access.
- If you use a single password to access various services, change it periodically. Unfortunately, you may not know whether a service’s password database has been leaked to hackers.