September 13, 2019 | | No Comments
Here are the top ten password security standards and specification for 2019. Use these tips to increase your overall security and remember, your server is only as secure as your weakest password or point of authentication.
Follow these top 10 best practices to better protect all of your information.
NIST: the (National Institute of Standards and Technology) is defined as:
â€œthe non-regulatory federal agency whose purpose is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology, in ways that enhance economic security and improve our quality of life.â€1
We take our queues from this agency as the national standard for many measurable references including passwords. They have updated and revised the newest password standards for 2019;
Here is a summary of that information:
DO Use Passwords of At Least Eight Characters Or Longer If Set By A Person: The more characters you use, the more difficult a password is to crack. Length is key. Create lengthy passwords of at least 8 characters!
DO Use Passwords of At Least Six Characters Or Longer If Set By A System or Service: If you have a system in place that allows for new user creation, eg. an eCommerce site, a forum or basically any type of site that allows new users to sign up, the software should never allow less than a six character password.
DO Allow Support For At Least A 64 Character Length: This setting should allow for use of passphrases when selecting a password
DO Use a Combination of All ASCII Character Types: Use numbers, lowercase letters, uppercase letters and symbols in your password.
(ex. XkeDZaJ6QG3E8!jKq3%yIOd3) This increases the overall entropy of the password and increases its chances of being compromised (Password entropy is the measure of how arbitrary or uncertain a password is. A passwords entropy is based on the type of character set used (including uppercase, lowercase, numbers, and special characters) and the length of the overall password.)
DO Create Unique Passwords: Each password you use should be for a unique to each service you use (ex. cPanel, MySQL and, your bank account should all have different passwords).
DO Verify Your Password Is NOT Listed In Known â€œPassword Dictionariesâ€: Using an online tool or software (in your program) should check against known password lists and should always be utilized
DO Use A Password Manager: Current best practice dictates that users should use a password manager to remember long, difficult passwords
DO Randomly Generate the Password: Use one of the following sites to generate a secure password: Norton by Symantec, Random.org, or Random Password Generator
DO Allow For At Least 10 Password Attempts Before a Lockout Is Initiated: The specified threshold is usually a balance between practicality and security depending on your companies risk level. This should be an adequate balance between allowing for possible user error and, limiting brute force attacks
DO Use A Two-Factor Authentication System: The use of a Multifactor Authentication system as part of your security protocols will add an additional layer of protection. This includes methods like hardware key fobs, software like Google Authenticator and readable biometric data.
DO NOT Use Dictionary Words: If your password is pizzatime, your server is probably already hacked or worse yet, rooted.
DO NOT Change Your Password Often: Changing your passwords regularly is now discouraged according to the latest NIST research.
DO NOT Use Pets, People, Places, Events, etc.: We are absolutely sure your dog is awesome and adorable but, itâ€™s name can be an easy guess if someone is gathering info on you and would not make a good password. That is unless her name is B1gg13 $m@LL$ bu$t3r B3LLy J3lly b3an! That would be cool.
DO NOT Reuse Passwords: If your password for an account was â€œQuixotic.Princess1â€œ, and you were forced to change it, donâ€™t change it to â€œQuixotic.Princess2â€œ. If you have to change it again, do NOT go back to â€œQuixotic.Princess1â€œ. Create a new, unique password!
DO NOT Use Adjacent Keyboard Strings: qwerty1234 is not a secure password; neither is using a keyboard pattern of ANY kind (eg. wazsedxcfr or poilkjmnb). All of these keyboard patterns have been taken advantage of and are part of the software programs malicious actors use to scan for passwords.
GOOD Passwords: (please donâ€™t use these)