I feel like I have been writing about Passwords over and over and that’s because I have. Despite hearing about how important passwords are over and over again, compromised passwords continues to be an issue for organizations.
Since the National Institute of Science and Technology (NIST) recently published new guidance and is recommending the use of Long easy to remember passphrases, I thought it was an opportune time to give you some of my tips when I educate client employees on recommended practices regarding passwords.
It is important that when an employee sits down at his or her company work station or laptop, that s/he can remember his or her password without having to refer to any written piece of paper (like a sticky note taped to the front of the workstation or inside the laptop) or check the notes on their phone. (I refer to these two examples as this is what many employees do every day so they can remember their password.) You have to get it into their brain that they have to memorize their password. It must be in their brain. I liken it to Tom Cruise in Mission Impossible getting his instructions and then they self-destruct. Employees in general like Mission Impossible movies and laugh, but get the point. They need to come up with a password that they can memorize and it self-destructs and is not retrievable.
I am a believer in the use of long easy to remember passphrases, which is consistent with NIST’s guidance. One example I use is Myfavoritecolorispurple$ or, Myfavoritecolorisblue! This of course is not my password, but it is a clear example of a complex passphrase that is easy to remember. It has a capital letter, lower case letters and a number or symbol. My IT colleagues approve and say it is complex enough for most password requirements.
When you give your employees ideas for long easy to remember passphrases like the ones above, tell them not to actually use the example! They need to come up with a unique phrase that they will remember when they log on to their computer. Give them subject matter ideas like hobbies, (IwishIwasasingledigithandicap/) or travel (IloveNewOrleans$) or animals or pets (Icaught5bass!) or seasons (Fall!smyfavoriteseason).
You get the drift.
The other nice thing about using passphrases is that NIST agrees they can be used for a longer period of time so employees don’t get frustrated with having to change their passwords every 60 days.
So check out the new password guidance from NIST here and try to make the password education fun and engaging.