As we approach a fall semester that most probably is going to continue to be, at least in part, a virtual experience for many of us, there are many issues for information technology managers to consider. Cybersecurity is one of those.
Over the past few years, cybersecurity has become a prime concern at all levels of society, from small town municipalities to the development of cyberwarfare commands in all branches of the military. Passwords are quite literally the key to many IT systems.
Passwords have become longer. Eight to 10-character passwords are now the recommended standard, with a dozen character passwords common. Beyond an eight-character password, passwords that are simply longer are not necessarily better–although mathematically, yes, it will take a supercomputer a longer time to generate the password via a brute force attack. In fact, NIST states that in many cases a six-character digital password is acceptable.
End users are much more likely to need to write their passwords down as they increase in length–making physical discovery easier. I do hope the days of writing your password on a sticky note under your keyboard are over, but many users still need to write down a password when they are forced to change it regularly or follow arcane complexity rules.
Students are less likely to share an easy-to-remember password, while they might share with an older sibling if they are having trouble remembering a complex password. This especially true if they have been frustrated by delays due to forgotten passwords.
Beyond the length of passwords are the requirements to regularly change them and include C@MP!3X characters. Both of these requirements have actually been shown to result in worse passwords. ENZOIC reports that the2017 National Institute of Standards and Technology (NIST) are not being well adhered-to by many organizations. One of the key takeaways from NIST was to stop requiring routine password changes. NIST also notes that requiring a level of complexity for user-chosen passwords tends to end up with Password1! as a common approach–something that is easy enough to hack as a rule and not at all effective against keystroke logging, phishing, and social engineering type of attacks. Those three types of attacks are common approaches when entry is through a compromised password. NIST found that the benefits of length and complexity requirements were minimal and the “the impact on usability and memorability is severe.” (NIST, 2017).
Instead of complex passwords allowing longer passwords, where users can use a passphrase is encouraged. Users should be allowed to make passphrases as long as 64 characters. This will increase security while not impacting usability. Another recommendation from several sources is to check potential passwords against known blacklists of poor passwords such as dictionary words, numerical items like dates of birth, etc.
While relaxing requirements to improve organizational security, it is also important to ensure that user training takes place as all levels of the organization. Remind users how to develop a strong password. A UK study of poor and easily cracked passwords included aaaaaa and 123456 along with Password and Iloveyou. (Pincheta, 2019).
Share the requirements for developing strong passwords with all staff. Explain the potential to utilize password management programs to encourage users to create unique passwords for each account they have. Even a strong password becomes weak if it is used for 21 different accounts. Also encourage users to consult with Google Password Checker or Firefox Monitor to determine if any of their passwords have been compromised. A side benefit is that the user might find out they have accounts they have forgotten about.
This will require a change in mindset for many IT staff and leaders, but it does seems fairly arbitrary for schools to be in situations where their password security requirements are potentially more burdensome than those outlined by the Department of Commerce for use throughout the federal government or those outlined by Microsoft. This is particularly true when research seems to support that those additional requirements do not serve to improve security but do diminish organizational efficiency. (Doherty, 2019; Naked Security, 2016).
As schools rely more heavily on technology as the medium through which we educate, it is important for information technology leaders to ensure that balance the needs of cybersecurity with the needs of end users. It is essential all involved in leaders consider the impact of potential security measures on the impact on organization effectiveness.
Doherty, R. (2019 June 5). 2019 password policy best practices. Intellisuit. Retrieved from https://www.intellisuite.com/blog/2019-password-policy-best-practices.
Enxoic. (n.d.) Surprising new password guidelines. Retrieved from https://www.enzoic.com/surprising-new-password-guidelines-nist/.
Naked Security. (2016 August 18). New password rules: what you need to know. Retrieved from https://nakedsecurity.sophos.com/2016/08/18/nists-new-password-rules-what-you-need-to-know/.
National Institute of Standards and Technology. (2017). Digital identity guidelines. NIST Special Publication 800-63B. Retrieved from https://pages.nist.gov/800-63-3/sp800-63b.html.
Picheta, R. (2019 April 23). How hackable is your password? CNN Business. Retrieved from https://www.cnn.com/2019/04/22/uk/most-common-passwords-scli-gbr-intl/index.html.