You know the advice you used to get about creating good passwords? It’s been updated for 2019! But don’t be confused about what the advice really means.
The highly circulated news that you no longer have to update your passwords except under certain circumstances has been badly misunderstood. Here are three charts that explain the real deal about changing passwords and what else has changed for 2019:
First, if you’re already using a password manager to store unique, complex passwords for each account and have activated
two-factor authentication (2FA) for all accounts, including your password manager, you’re good to go. But if you ever stray from this best-practices approach — even just once in a while — it’s time to change what you do.
New guidelines if you use a password manager
No matter how good your passwords, securing your accounts with 2FA is the way to go moving forward. Verifying it’s really you trying to log in is key. Your passwords, even your main password for your manager password, may have been compromised without your knowing it.
| OLD | NEW | WHY |
| Use a unique, complex password for each account | Same advice (this will never change) | If the password on one account is compromised, others are not |
| Use a password manager to generate, store, and secure your passwords | Use a password manager that also offers 2FA like LastPass or Dashlane | Since all your passwords are stored here, you need an extra login layer to lock down your account |
| Use a single sign-in platform (from Google, Facebook, Apple and Active | Add 2FA to every platform you use, including (and especially) all single | Single sign-in accounts need to be as secure as your password manager |
| Directory for business, for example) to minimize the need for extra passwords | sign-ins |
New guidelines if you don’t use a password manager
NIST, or the National Institute of Standards and Technology, the government agency that researches and shares best practices for cybersecurity (among many other things), released its latest guidelines earlier this year — key changes are outlined above. They focus on simplicity for the user. Studies prove that the easier it is to follow the guidelines, the more likely it is users will adhere to them. The new guidelines have also generated some confusion for users.
| OLD | NEW | WHY |
| Use a unique password for each account | Same advice (this will never change) | If the password on one account is compromised, others are not |
| Change passwords every 90 days | *Only change passwords after a breach or when passwords are forgotten, phished, or stolen* | People don’t typically adhere to this advice and frequent changes are ineffective — users tend to change one character only or reuse other passwords |
| Use a complex sequence of letters, numbers, and symbols | Use a passphrase or sentence that you’ll remember and is hard to guess | Words strung together are easier to remember and therefore create and use |
| The longer the complex password, the better | Using really long passphrases or sentences is best — up to 64 characters (eight characters minimum) | Password-cracking tools can’t handle super-long passwords |
| The better your password, the safer your account | Always use two-factor (2FA) or multi-factor authentication (MFA) when available | Adding more authentication layers is safer than using the best passwords ever |
| Take advantage of password hints | Don’t use password hints | They give clues for guessing passwords |
*Leapfrog recommends you continue to change passwords every 90 days if you’re not using a password manager, 2FA, or single sign-in.
Shoot for six or more words when using passphrases or password sentences. While some account providers only allow passphrases with no spaces between the words, others follow the NIST recommendations and allow spaces. Still, others allow emojis, which can be very easy to remember and hard to crack. These examples can help point you in the right direction:
- BreakingBadorGameofThrones??
- I’m the #1 Braves fan and want them to win the pennant
- I would eat pizza 7 nights a week if I could!
- When ?was little I wanted to be a ?
- By2040wewillrockettoMars
Don’t use a string of a few dictionary words, though, such as fishcastledaydream. Even though it has 18 characters, password-cracking tools look for this. To verify you’re not using a password that’s popular or has been stolen, which means it will be in password-cracking databases, search for it on a list like Wikipedia (use your browser’s search function to search for your password) and enter it into Pwned Passwords (the site is secure).
New guidelines for account providers
NIST tells account providers they need to up their game in 2019 as well. If your providers are not offering 2FA, consider whether you want to continue to do business with them. It’s not difficult for providers to integrate 2FA into their platforms. There are plenty of off-the-shelf options they can offer you, including one-time security codes by text — they don’t have to build their own.
Also, reconsider having an account with providers that don’t permit long passwords. This means they’re probably using old technology, which means they’re probably not secure.
| OLD | NEW | WHY |
| Users should be responsible for choosing appropriate usernames and passwords to protect their account | Providers should provide 2FA to secure their users’ accounts | It’s the account provider’s responsibility to provide a more secure verification process |
| Users need to retype their password a second time to authenticate their identity | Providers should allow password copy/paste in login fields | Copy/paste promotes the use of password managers and stolen passwords can be entered twice |
| sers need to use symbols in their passwords | Providers should let users choose whatever characters they want | Requiring specific symbols gives clues to hackers and promotes password reuse |
| Users can opt in to 2FA if they want | 2FA should be required to login | 2FA provides better security and reduces the need for complex passwords |
| Users can choose whether or not to change their passwords after a breach | Providers should force users to change their passwords after a breach | Once a password has been compromised, it’s no longer secure |
Quick recap of new rules
Rule #1
Use a password manager/vault with 2FA. It’s not hard to make the switch — here’s a good primer.
Rule #2
If you can’t bring yourself to use a password manager, stick to the new guidelines until you’re ready.
While taking the time to set up a password manager and using 2FA may seem like they complicate the login process that you’re accustomed to, they simplify it. You will no longer have to generate or remember passwords (except for your main login password) and some managers let you change passwords with one click.
Zero-trust authentication is best of all. This includes, among other things, an account provider sending you an approval notification to a pre-registered device. This allows you to approve or deny access on the spot. Apple, Google, and Microsoft are using zero-trust in some areas. Look for more account providers to (hopefully) zero-trust shortly.
If you liked this post, don’t forget to subscribe to FrogTalk, our monthly newsletter.
