Passwords

It is estimated that it costs businesses $70 to reset a password 1. I reset more than ten a week. Weak passwords abound. Password, 123456, and admin have cost companies millions of dollars.

Passwords aren't going away anytime soon. So what to do? Use strong passwords. That's nice. But complex passwords are hard to use. Users hate changing their passwords. What to do?

Use good passwords

Highlights from the Password Guidelines from NIST - 2018

Recommendations

Remove periodic password change requirements
This is one that legions of corporate employees forced to create a new password every month will surely be happy about. There have been multiple studies that have shown requiring frequent password changes to actually be counterproductive to good password security, but the industry has doggedly held on to the practice. Hopefully, these new recommendations will change that.

Drop the algorithmic complexity song and dance
No more arbitrary password complexity requirements needing mixtures of upper case letters, symbols and numbers. Like frequent password changes, it’s been shown repeatedly that these types of restrictions often result in worse passwords.

Require screening of new passwords against lists of commonly used or compromised passwords
One of the best ways to ratchet up the strength of your users’ passwords is to screen them against lists of dictionary passwords and known compromised passwords.

I work in education IT. Teachers suck at protecting information. Give me a room full of teachers. I am going to start guessing passwords. Your child, cat, dog, boyfriend, husband if you are female. Your sport, team mascot, home team (pro), vehicle if you are male. The subject you teach. I probably have over 80% of the accounts.

Complete article from PasswordPing


Create and test passwords

Dashlane Password Generator Will open in a new window.

Check Passwords Password Checker from PasswordPing

Enter a password in the box to test it's strength. The password checker will also tell you if the password appears in a hacked password database.