Agnes Kirk
New, and improved, rules for pa$$w0rd$
If you’re tired of regularly coming up with new passwords that look like comic book expletives — Ih8_th1$! — I’ve got some good news.
The National Institute of Standards and Technology, NIST, recently updated their national standards, Special Publication 800–63B, regarding passwords. They now recommend using several words strung together, such as easy to remember phrases, for passwords. That represents a significant change from its past advice to use a combination of letters, numbers and symbols. NIST sets national standards for cybersecurity best practices.
Research has shown hackers can decode a short string of random characters much faster than several words strung together. NIST also says it’s not neccesary to change your password every 90 days — unless you’re concerned it’s been stolen or exposed in a data breach. If you’ve been notified that your information was exposed, you should change all your login information ASAP.
All that said, just having a strong password is no longer sufficient to protect your most sensitive information, including financial accounts. Hackers can eventually decode even the best password.
I recommend that you also use multi-factor authentication. I personally use it to protect my personal information. Many companies, like Google for example, allow a “two-step” authentication that involves typing in a six-digit code, in addition to your login and password, in order to login.
The most common form of this method is having a code texted to your phone, that you then type into your login page. However, researchers now say hackers can hijack SMS text messages and see your codes.
A more secure method is to have an app-based code generator on your phone, such as the Google Authenticator. The app generates a one-time code on your phone that cannot be intercepted by hackers.
Taking this step means that even if hackers stole your login and password, they would be unable to access your accounts without having physical access to your phone and its code generator.
The constant barrage of news about data breaches may make it seem like there’s nothing you can do to protect yourself, but the steps I’ve just outlined are easy to take and they will help protect your personal information.
Sincerely,
Agnes Kirk, Washington State Chief Information Security Officer
Ph: 1.888.241.7597 or cybersecurity@ocs.wa.gov
