The password landscape is changing. Make sure you understand what’s happening and how the changes can make it easier to stay safe.
As of January 2020, we will be moving to a baseline of 10–digit passwords changed once a year for customers with Multi Factor Authentication (MFA).
Why are password policies changing?
The password has been the mainstay of network security since the invention of the computer but every now and again something happens to demonstrate more clearly the shift in the landscape which has been happening over the last number of years.
For over 40 years one of the original passwords baked into Unix had remained a secret, so a researcher decided a few weeks ago to attempt to crack it with a modern cracking tool. He cracked it in 4 days. The password when revealed was 8 digits long and complex. This shows the increase in CPU power over time and the potential vulnerability of the password as a sole security measure, especially short passwords.
It was probably almost 20 years ago that Bill Gates claimed that the password was dead and yet today it still accounts for the sole security for networks for more than 80% of admins, never mind end users. In other words, over 80% have no MFA.
It’s worth pointing out that we are a little different at Nitec, and thanks to our ability to monitor and manage this through our Customer Portal over 50% of all accounts (admins and end users combined) have MFA. This is improving every day but even with huge pressure being applied to customers progress can be slow, showing how hard it can be to get these technologies implemented even though they are essential and largely free.
So, what is the latest thinking regarding password policy? This is probably best split into 3 short sections.
1. Password Length
As of January 2020, Nitec are moving to 10–digit minimum password policies. Moving from 8 digits to 10 makes it approximately 5000 times harder to crack.
MFA is now essential. It is unconscionable for a business today not to have it. The chances of you being hacked without MFA is more of a ‘when’ than an ‘if’. Your staff are social beings and some of them will eventually fall into a well socially engineered trap and divulge their password. It’s just a fact of life.
When they do – and you can be sure they will eventually – the damage can vary from trivial to severe. It is impossible to say in advance. Emailing all your customers though with faulty bank details, which is common, involves an embarrassing series of communications with all your customers forcing you to say “we were hacked and that email you got wasn’t from us” and then following up to make sure the message stuck. If any of your customers pay into the new hacker bank account good luck getting that money back. The damage can easily mount up.
3. Password Expiration
NIST (National Institute for Standards and Technology) have for some time been asking for administrators to extend the time between password expiry as the evidence has gradually piled up as to how users change passwords. The premise being that users don’t change passwords; they tweak them and usually in very predictable ways.
If I’m honest, I’m still not a complete believer in every aspect of this, but IT as an industry is nothing if not data driven and it would seem that largely the jury is out on this. 1 year is a better timeline than 90 days or 30 days. As a result, Nitec will be changing to a 1–year minimum password expiration on 1st January 2020 also.
It is important to point out that this is only the case if you have MFA enabled. If you haven’t got MFA and you are a Nitec customer, brace yourself. We’re coming for you in 2020, if not before. If you are unsure whether you have MFA you can of course call your account manager or check yourself on your Customer Portal as always.
Maybe next month we will take a look at the latest password–less mechanisms from Microsoft.