Things you should know about passwords, such as 'writing passwords on paper is surprisingly safe,' 'changing passwords periodically is dangerous,' and 'requiring the use of a mixture of symbols and numbers is a no-no.'
Many people practice know-how to safely manage their passwords, such as 'changing passwords regularly' and 'asking others to mix symbols and numbers when creating passwords.' However, these management methods actually pose a high security risk, and are not recommended in the guidelines of the National Center of Incident Readiness and Strategy for Cybersecurity (NISC) and the National Institute of Standards and Technology (NIST).
Internet Safety and Security Handbook Ver. 5.00 Chapter 6
(PDF file)
NIST Releases Second Public Draft of Digital Identity Guidelines for Final Review | NIST
https://www.nist.gov/news-events/news/2024/08/nist-releases-second-public-draft-digital-identity-guidelines-final-review
◆ Changing your password regularly is dangerous
In the past, information education recommended 'changing passwords regularly,' but at the time of writing this article, this is considered a dangerous practice. According to the 'Internet Safety and Security Handbook' published by the NISC, changing passwords regularly can lead to risks such as 'simplification or repetition of passwords' and 'reusing the same password for multiple services.'
◆ Managing passwords by writing them down on paper is surprisingly safe
The NISC recommends safe methods for managing passwords, such as 'writing them down in a physical paper notebook' and 'recording them in a password management app for smartphones.'
A physical paper notebook cannot be connected to the Internet, making it resistant to cyber attacks. Furthermore, stealing passwords recorded on paper requires a physical act of theft in the real world, minimizing the risk.
Although there are password management apps for PCs, NISC recommends using smartphone apps because 'smartphones are designed to have sufficiently high security. However, it is necessary to be careful about how the app manages data, and it is recommended that 'apps that store passwords on the smartphone' be prioritized over 'apps that store passwords in the cloud.'
Many web browsers, such as Edge and Chrome, have a feature that allows users to save and automatically fill in passwords. However, NISC urges users not to use this feature because of the risk that passwords may be used by others when users are away from their desk, or that their personal information may be stolen if their computer is hacked.
◆ It is not OK to require the use of symbols and numbers
Password creation screens for web services and other services often have conditions such as 'Please use at least one symbol or number.' However, the 'Digital ID Guidelines Revised Edition 4 (SP 800-63-4)' published by NIST indicates that the condition of mixing symbols and numbers can be a risk.
According to NIST, if a user is required to use a mixture of uppercase letters, symbols, and numbers, they are more likely to change their password to something predictable, such as 'Password,' 'Password1,' or 'Password1!'. For this reason, an attacker can break through security measures simply by registering a predictable password in a dictionary attack database.
Even if users choose a 'very complex password' for security reasons, they may end up storing the password in an electronically insecure location because they cannot remember it.
◆The longer the password, the better
NIST advises administrators of web services, etc. that 'the minimum password length should be set to at least 8 characters.' It also states that 'the minimum password length should be set to 15 characters or more if possible.' In addition, the NIST guidelines also state that 'the maximum password length should be 64 characters or more if possible.'
◆ 'Password hints' should not be implemented
Some websites display a 'password hint' in the password input field to help users when they forget their password. However, NIST urges websites not to implement 'password hints' due to security concerns.
◆ 'Secret Questions' should not be implemented
Some websites require users to set 'secret questions' to verify their identity when changing their passwords, but NIST recommends that these practices be discontinued.
◆Internet Safety and Security Handbook
The Internet Safety and Security Handbook published by the NISC contains information on basic cybersecurity knowledge and how to use SNS safely, in addition to password management methods. The handbook is available for free at the following link.
Internet Safety and Security Handbook - NISC
https://security-portal.nisc.go.jp/guidance/handbook.html
In addition, the 'Digital ID Guidelines Revised Edition 4 (SP 800-63-4)' published by NIST in August 2024 can be read at the following link.
NIST Special Publication 800-63B
https://pages.nist.gov/800-63-4/sp800-63b.html
Related Posts:
in Security, Posted by log1o_hf