Preventing Information (In)Security

While summer is often thought of as the season for carefree living and time away from work and school, it’s no time for enterprises and individuals to take a vacation from ensuring their online account information is secure and protected with the strongest password structures possible. 

The Box sat down with Michael Nizich, Ph.D., director of the Entrepreneurship and Technology Innovation Center (ETIC) and director of the NSA/DHS CAE Cyber Defense Education Program in the College of Engineering and Computing Sciences, to gain insight into this important issue.

In a work environment, how can enterprises ensure individuals are protecting information with secure passwords?
There are two unique components to be considered in regards to information security when it comes to password policies. The first is what a user chooses to select as a password and how often they change it, and the second is the organization’s policies on what it requires from users for passwords to qualify as secure.

The first consideration depends strictly upon how the user decides to create a password; one that meets the organization’s requirements and remember without having to write it down. The second is a combination of technology-based solutions and system configurations governed by the organization's Information Technology (IT) department.

How should passwords be created?
The National Institute of Standards and Technology (NIST) currently recommends that organizations and users alike focus on length and complexity of the password, but to create them in a manner that is extremely memorable to an individual based on their own subjectivity. Users can follow this recommendation for organizational passwords as well as for their personal accounts for phones, tablets, banking apps, etc.

This is a response to the way most encryption algorithms work; as each new additional character in a password makes an attacker’s effort exponentially more difficult, requiring that much more work to break the code.

How often should a user change their passwords? 
A user should change passwords every 90 days at minimum, and they should be as long and complex as possible, provided the user can remember them easily. The 90-day window is recommended because within that time, nefarious actors may be able to compile enough publicly available personal information to break a password with some readily available password-cracking software and a high-performance workstation.

For example, if it could easily be assumed from social networking sites that an individual is a dog lover, then it could be assumed that their passwords have something to do with dogs, which eliminates millions of possible combinations in one shot. By changing the password frequently, the user is in a race with the cyber criminal to negate any work they have done to learn about the user's life and by extension, their potential password choices.

What are a few best practices for password and information security?
Previously, password security focused on complexity versus length, but that made it extremely hard to remember an 8-character password like “%$#FReDr.” The new recommendation from NIST is to focus on long passwords that have an extremely personal and subjective meaning so that cyber criminals have little chance of guessing them based on stolen or acquired personal data.

An example for a dog lover might be, “ILoveMy8YearOldYorkie!” In this case, the length and complexity are extremely difficult to crack with a brute force attack, and there wouldn’t be enough public information about the user for an attacker to guess this password in any acceptable amount of time. And, a password like this is really easy for the user to remember.

Keep in mind that the more a user intentionally places passwords in centralized storage areas, the greater the risk. As an example, if you log into a website and it asks to remember you next time, that information is stored on your local hard drive. This makes it vulnerable to attackers who can access your hard drive through a Phishing attack. Additionally, if you use a password wallet from a trusted provider, all of your passwords are stored away from your own computer on a centralized server that is available through the Internet. This is ultimately making all of your passwords vulnerable by being in one place and relying on the security of the specific wallet vendor.

The best and safest solution is always for a user to enter their password each time they enter a website or application. Additionally, those passwords should be created as long, complex, and personal as possible while being changed every 90 days or less.