Tech Tidbit – Thoughts About Passwords

March 25th, 2024
Tech Tidbit – Thoughts About Passwords

Recently it was worldwide "change your password" day!

I have a few thoughts.

If you attended the CSI CyberSecurity event in December, you heard the NYS SED CISO get caught up in the incongruent password guidance between NYS and NIST CSF. Unfortunately, there was no breakthrough in this discussion, but NYS SED heard you that there needs to be clearer guidance.

The time to hack for 8-character passwords with complexity is now estimated to be 5 minutes due to something called "Rainbow Tables" which pre-hash the dictionary to make it easier to guess passwords quickly. Attackers know all the replace an "A" with an "@" gimmicks so that no longer provides much protection. All passwords should at least be a minimum of 12 characters with complexity. All passwords should also have an MFA challenge that is not an SMS challenge. Every interface that touches the internet must have MFA - no exceptions.

The recent tech news is talking about Russia hacking into Microsoft to read employees' emails not using MFA!

MFA is not an option. This once again proves it.

You certainly could have a complex password of M@rk3rs!1232%. That meets the 12 characters with complexity standard. However, many of your users continue to struggle with passwords like this.

An alternative is to pick 4 unrelated words and then add the complexity to make the NYS Auditors happy.

"cows corn volcano diesel" is an awesome password. I would argue that it is much easier to remember than my first password. It is considered very secure. However, it still flunks the NYS complexity standards. To reconcile these two issues you can do this:


It is still easy to remember and meets complexity requirements.

It is something to think about as we try to balance ease of use with security.

-Scott Quimby, CISSP