No matter how many letters, numbers, or special characters you give them and no matter how many times you change them, passwords are still @N0T_FUN! Learn about using strong passwords and a password manager as part of year’s Cybersecurity Awareness Month
"Cybersecurity Awareness Month is a collaborative effort between government and industry to raise cybersecurity awareness nationwide in order to ensure that all Americans have the knowledge and resources they need to be safe and secure online" -National Cybersecurity Alliance. Held in October, each week there will be a different focus on a key behavior:
Cisco Duo is all about cybersecurity, so every week we’re going to publish a blog focused on those respective topics. This week’s topic, on passwords, is something most of us encounter in our daily lives, whether we’re logging into a banking site as a consumer, or into a work computer as an employee.
We use passwords to access computers, to access personal web applications over the internet, or to access business applications. Most of us get that they are a “necessary evil” to protect our digital resources, most are aware that they have security flaws and most agree that they are N0T_FUN!
But how did we get to this point where they are so pervasive to our lives, yet so flawed? Cybersecurity Awareness Month is dedicated to enlightening the world on digital security and since this week’s focus is on the use of passwords, we want to take a brief look at the past, present and future of them (or in the case of future we should say “passwordless”).
When the use of passwords began, they were a “good enough” method to control user access to digital systems. Computers were often shared; they were not widely networked, and they did not store information that was highly valuable to companies or extremely private to individuals. They continue to be used, since the dawn of the internet, and today protect systems that are networked around the world and host invaluable digital resources.
In the present, although we know passwords are flawed and are N0T_FUN, we must live with them. To make the best of them there’s a few ways we can strengthen their use:
In our next blog on enabling multi-factor authentication (MFA) we will discuss how requiring another factor to complete authentication is important, so that whether a password is compromised there is another “lock on the door” to help keep bad actors out.
Perhaps an obvious, but underutilized way to strengthen passwords is by making them more complex. The U.S.-based NIST has published guidelines on best practices around password complexity, along with several others on good hygiene and overall management.
Key tips include:
Length and Complexity: Make them at least 12 characters long, with a mix of uppercase and lowercase letters, numbers and special characters. Avoid using guessable information like names and milestone dates.
Avoid Personal Information: Ensure that your password does not contain any personal information, like a phone number. Cybercriminals can harvest this information through social engineering and deduce your password.
Unique for Each Account: Avoid reusing passwords across multiple accounts. If one account gets compromised, it becomes easier for cyber criminals to gain access to all your accounts (a technique known as password spraying).
Regular Changes: Regularly change your passwords, especially after any suspicious activity.
And while users may resist more complex passwords because they’re less convenient, there are a variety of password management vendors with products that can help. Aside from simplifying the user experience, password managers can store and encrypt passwords for the hundreds of sites users may access allowing them to employ different and more complex passwords without having to remember them.
For more information, see NIST Digital Identity Guidelines.
The future of passwords is really to have no future at all, or go “passwordless”. To be clear, that doesn’t mean eliminating authentication, rather upgrading it by an order of magnitude. Central to this movement is the FIDO Alliance, a consortium of 250+ of the world's largest security companies like Cisco. They have developed new methods like “passkeys” to overcome the weaknesses we’ve discovered with passwords over decades of use.
The FIDO2 standard employs the “something you have” and “something you are” factors that will discuss in our next blog on enabling multi-factor authentication. Cisco Duo has developed a passwordless solution that integrates these standards and offers the strongest authentication and the easiest user experience at the same time.
Although, passwords are just N0T_FUN, they will be around for years to come, and we need to make them as secure as possible to stay safe online! To give passwords proper credit they have survived the test of time, provided value for decades, and gave us many lessons to improve authentication for a more secure future online.
Cisco has capitalized on these lessons with the Duo Passwordless solution to ensure that if it’s connected it’s protected!
Try Duo for free!
With our free 30-day trial and see how easy it is to get started with Cisco Duo and secure your workforce, from anywhere and on any device.