Here are the top ten password security standards and specification for 2019. Use these tips to increase your overall security and remember, your server is only as secure as your weakest password or point of authentication.
Follow these top 10 best practices for 2019 to better protect all of your information.
Best PracticesNIST: the (National Institute of Standards and Technology) is defined as:
“the non-regulatory federal agency whose purpose is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology, in ways that enhance economic security and improve our quality of life.”1We take our queues from this agency as the national standard for many measurable references including passwords. They have updated and revised the newest password standards for 2019; Here is a summary of that information: DOs
- DO Use Passwords of At Least Eight Characters Or Longer If Set By A Person: The more characters you use, the more difficult a password is to crack. Length is key. Create lengthy passwords of at least 8 characters!
- DO Use Passwords of At Least Six Characters Or Longer If Set By A System or Service: If you have a system in place that allows for new user creation, eg. an eCommerce site, a forum or basically any type of site that allows new users to sign up, the software should never allow less than a six character password.
- DO Allow Support For At Least A 64 Character Length: This setting should allow for use of passphrases when selecting a password
- DO Use a Combination of All ASCII Character Types: Use numbers, lowercase letters, uppercase letters and symbols in your password. (ex. XkeDZaJ6QG3E8!jKq3%yIOd3) This increases the overall entropy of the password and increases its chances of being compromised (Password entropy is the measure of how arbitrary or uncertain a password is. A passwords entropy is based on the type of character set used (including uppercase, lowercase, numbers, and special characters) and the length of the overall password.)
- DO Create Unique Passwords: Each password you use should be for a unique to each service you use (ex. cPanel, MySQL and, your bank account should all have different passwords).
- DO Verify Your Password Is NOT Listed In Known “Password Dictionaries”: Using an online tool or software (in your program) should check against known password lists and should always be utilized
- DO Use A Password Manager: Current best practice dictates that users should use a password manager to remember long, difficult passwords
- DO Randomly Generate the Password: Use one of the following sites to generate a secure password: Norton by Symantec, Random.org, or Random Password Generator
- DO Allow For At Least 10 Password Attempts Before a Lockout Is Initiated: The specified threshold is usually a balance between practicality and security depending on your companies risk level. This should be an adequate balance between allowing for possible user error and, limiting brute force attacks
- DO Use A Two-Factor Authentication System: The use of a Multifactor Authentication system as part of your security protocols will add an additional layer of protection. This includes methods like hardware key fobs, software like Google Authenticator and readable biometric data.
- DO NOT Use Dictionary Words: If your password is pizzatime, your server is probably already hacked or worse yet, rooted.
- DO NOT Change Your Password Often: Changing your passwords regularly is now discouraged according to the latest NIST research.
- DO NOT Use Pets, People, Places, Events, etc.: We are absolutely sure your dog is awesome and adorable but, it’s name can be an easy guess if someone is gathering info on you and would not make a good password. That is unless her name is B1gg13 $m@LL$ bu$t3r B3LLy J3lly b3an! That would be cool.
- DO NOT Reuse Passwords: If your password for an account was “Quixotic.Princess1“, and you were forced to change it, don’t change it to “Quixotic.Princess2“. If you have to change it again, do NOT go back to “Quixotic.Princess1“. Create a new, unique password!
- DO NOT Use Adjacent Keyboard Strings: qwerty1234 is not a secure password; neither is using a keyboard pattern of ANY kind (eg. wazsedxcfr or poilkjmnb). All of these keyboard patterns have been taken advantage of and are part of the software programs malicious actors use to scan for passwords.
ExamplesBAD Passwords: awesomedog1 sunshine12 coolguy18 GOOD Passwords: (please don’t use these)
PassphrasesI am sure we’ve all seen or remember the comic from xkcd regarding passwords… A joke, a hobby, a quote from a book/movie or, an interest of some sort can be used as the basis for a secure password. Take the quote, “May the force be with you.” from Star Wars. We can build this into a more secure password by simply changing out some characters and adding a few numbers: May1the2force3be4with5you6! That’s a more secure password that would be much easier to remember but would I trust my banking information to that password? Probably so but I think I can do better… This gives us the following score:
It would take a computer about 682 NONILLION YEARS to crack your passwordThat’s 1030 years! I’m ok with this… But using this same movie quote and turning it into a passphrase increases its security even further; Going from “May the Force be with you.” converted to something like M@y Th3 F0rC3 b3 w1tH y0u! This gives us the following score:
It would take a computer about 3 DECILLION YEARS to crack your passwordThat’s 1033 years! I’m better with that… GOOD Passphrase Examples:
- G0 @h3@d, M@k3 My Day!
- *M@y tH3 F0rc3 b3 W1th y0U*
- TH3r3’5 n0 pL@c3 l1K3 h0m3_
Remembering PasswordsThe use of password managers is now recommended and can improve your ability to utilize stronger passwords but, bear in mind that a Password Manager is only as strong as its gateway passphrase which can allow access to ALL of your passwords. Although Liquidweb does not endorse any specific password manager, we can, however, provide a list of the most popular ones:
- Here is a full list of all of the major password managers
Authenticationinformation ,The newest models for multifactor authentication ideally identifies four common factors as the essential methods of authentication:
- Something you personally know (e.g., a passphrase). Something you personally have on you (e.g., an employee ID badge or a key fob). Something you personally own (e.g., a fingerprint, facial recognition, retinal ID or, other types of biometric data). Somewhere you specifically are (eg. your GPS location or on a network at work)