Still using “MrFluff” as your password? Maybe mixed with a little Leet-speak — say, “MrFl0ff” — to confound all those hackers who want to vacuum out your 401K plan?
Well, today is the first Thursday in May, and that means it’s World Password Day. Time to celebrate! You can do that by retiring “MrFl0ff” and replacing him with a longer, stronger password than a pet’s name (consistently a subset of the most hacked passwords worldwide, studies have found). Contrast Security experts also suggest turning on multi-factor authentication (MFA) for important accounts, which would give MrFluff a new, far harder to crack name – like, say, *6fjI5%4&crkN.”
We asked Contrasters for more tips on what developers and enterprises should know about password policies: Read on!
"How many passwords have you forced yourself to remember? How many renditions of the same password (e.g. Password1, Password12, Password1!) are you using? A password manager will simplify your life and allow you to create and store passwords securely, and at the same time, you will never have to even know what those passwords are. Get yourself a password manager today.
One of the most common security requirements I still see being used in organizations is forced password expiration. NIST has explicitly stated for four years now (SP 800-63B Section 5.1.1.2) that memorized secrets should not be required to be changed arbitrarily and only force a change if there is evidence of compromise. If you make one change to your password policy, remove this arbitrary requirement."
—David Lindner, CISO
“Enterprises should be developing and implementing password policies based on research — not intuition, folklore, and anecdote. If you had done that, you’d have stopped rotating passwords arbitrarily over a decade ago and you’d now drop the requirements for special characters in exchange for longer passwords and using passphrases (with no special characters). These passwords are easy to remember and often faster to type, which is a better user experience while making user accounts safer. CyLab created a great password research piece."
—Larry Maccherone, DevSecOps Transformation
“Every time a corporate user depends on a password to get access to a service, your IT team has failed at their jobs. Updating practices to include modern identity management technologies means your users don't have to remember passwords anymore and criminals gain nothing from stealing them. This is why it is absolutely critical to enforce a companywide policy of leveraging a password manager and to mandate multi-factor authentication (MFA). Even if a user is successfully phished for a password, your data stays safe.”
—Steve Wilson, Chief Product Officer
“I look forward to the day when there isn't a ‘password’ day to celebrate. Modern identity technology is already prepared to sunset the practice.”
—Adam Schaal, Director of Enterprise Security
“There are many easy-to-use and free password managers out there! They help with creating and storing secure passwords, so folks don't have to worry about managing passwords or attackers stealing them.”
—Ankur Papneja, Product Manager