Current eMessage > Technical Information > October 2017

Technical Information

Open Sesame! Learn about a new take on passwords

by MACC’s Technical Support Team

Like the famous phrase that opened the cave of treasure in Ali Baba and the 40 thieves, hackers try to use your password to get at you and your company’s treasured customer information. Using passwords like password or 1234 is like opening the door for them. Security experts have preached for years about using secure passwords of six digits or more consisting of upper and lower case, numbers and symbols. As hackers have evolved so has the idea of what a secure password is.

New theories are emerging that present an interesting idea. While we don’t recommend jumping on the bandwagon until it has been proven effective, it is interesting to consider.

The National Institute of Standards and Technology (NIST) now suggests keeping passwords simple, long and memorable. Paul Grassi, senior standards and technology adviser at NIST (who led the new revision of guidelines) in an interview with NPR’s Audie Cornish said:

Phrases, lowercase letters and typical English words work well. Experts no longer suggest special characters and a mix of lower and uppercase letters. And passwords never need to expire. We focus on the cognitive side of this, which is what tools can users use to remember these things?” Grassi said. “So if you can picture it in your head, and no one else could, that’s a good password.”

While these rules may seem suspiciously easy, Grassi said these guidelines help users create longer passwords that are harder for hackers to break. Also, he said the computer security industry in both the public and private sectors has received these new rules positively.

“It works because we are creating longer passwords that cryptographically are harder to break than the shorter ones, even with all those special character requirements,” Grassi said “We are really bad at random passwords, so the longer the better.”

Grassi stands by these new guidelines because previous tips for passwords affected users negatively and did not do much to boost security. When users change their passwords every 90 days, they often aren’t dramatically changing the password.

“I’m pretty sure you’re not changing your entire password; you’re shifting one character,” he said. “Everyone does that, and the bad guys know it.”

Until this theory has had more time in the field to be proven, we suggest a compromise. Use a long phrase familiar to yourself and easy to remember. But, add subtle changes to the phrase. Randomly use upper case letters. Replace some of the letters with numbers and symbols. Here is an example:

Phrase: a rolling stone gathers no moss
Password: ARolling$ton3Gath3r$NoMo$$

We accomplished this simply by replacing the letter s with $, and the letter e with 3. Then we capitalized the first letter of each word. These simple steps can make longer, more complex passwords easier to remember.

We take data security very seriously at MACC and are committed to offering our best to help you strengthen your defenses. If you have any questions, or if there is anything we can do for you, please don’t hesitate to contact your MACC Tech Support Team and we will be happy to help! We can be reached at 402-533-5300 or via email at [email protected].