Data security must be a priority for every business. With regulations and compliance requirements in place to protect the security of your customer, business partner and employee data, a company could be held liable if any of that information is lost due to its negligence.
Companies use a variety of policies, from the certified destruction of paper documents to a clean desk policy, to help them meet their data security obligations.
One of the most basic safeguards against information leaks are the passwords used by employees and customers to access information online. But developing secure passwords that are difficult for hackers to crack, yet simple enough for users to remember has been an ongoing problem.
The passwords we originally used, when it first became common to store sensitive information on the web, were easily cracked. To make them easy to remember, users created passwords like ‘password’, and it didn’t take very long for hackers to figure out how to get past them.
In 2003, the National Institute of Standards and Technology (NIST) recommended that, instead of easily-guessed words, passwords should be random strings of keyboard characters combining upper- and lower-case characters and symbols. Something like this: Ty5^&bb01Z.
But, again, the need to be able to remember passwords forced users to adapt the policy in easy to remember ways, and the idea of substituting ‘random’ characters in regular words was born. But the problem was, those ‘random’ characters soon became less ‘random’ as people substituted similar characters for letters in easier to remember words. That ended up producing passwords like this: P@$$w0rd.
Again, that style of password was soon busted.
It wasn’t until June of 2017 that the NIST finally modified their 2003 recommendations to combine the randomness needed in passwords with the ability to keep them easy to remember.
Current Best Practices for Passwords
The NIST’s new recommendations are that we should use longer passwords composed of a string of random words, like this: houseoptionrocketskating. The NIST’s research shows that the long-random-words password is as difficult to crack as the string of random character passwords, but much easier to remember.
It would be a mistake to think that using the new password guidelines will eliminate the problem of password cracking now and forever. Companies should always be on the lookout for policies and practices to help make their passwords as secure as possible. After all, they are the gateway to all the sensitive data you need to protect.