In a guest post for National Cyber Security Awareness Month, Charlie Mewshaw, IT Security Specialist with the Information Security Office, answers often-posed questions about passwords, including what constitutes a secure password, why password policies are the way they are, and why everything associated with passwords seems so complicated.
Let’s talk about passwords. And how we can make them easier – and safer! We use them every day, across multiple sites and applications, and every couple of months we change them. It’s usually around the time we change them that a few common questions tend to come up.
Why does it have to be so complicated?
This is a sentiment that even the most stalwart of security minded users may at some point find themselves feeling. To shed light on the reasons why password policies are the way they are, let’s first take a look at the concept of password entropy. Password entropy is a term used to describe how unpredictable a password is — and therefore how hard the password is for an intruder to guess. The higher a password’s entropy, the more secure it is, and in recent years this has been achieved by utilizing a combination of character rules.One of the driving forces behind password policies has been the 2004 National Institute of Standards and Technology (NIST) Special Publication 800-63-2; however, June 2017 saw the release of a new publication, NIST 800-63B, which is set to turn the previous guidelines in a different direction. The emerging guidelines from the new publication recommend favoring longer passwords, such as phrases, over the traditional use of complicated strings of numbers, letters and symbols. An example of a phrase might be “I-hate-changing-my-password-every-90-days!” As new NIST guidelines are reviewed and implemented over time, administrators will hopefully be able to alleviate some of the mental gymnastics users go through to concoct effective passwords, while still ensuring a strong security posture.
So why can’t I use the same password for all my accounts?
One reason behind rules relating to password changes is that some users have a tendency to re-use passwords across different accounts. Unfortunately, we can’t possibly protect all of those accounts — think about an obscure app or website you’ve made an account for and forgotten about. The idea is that by having a diversity of passwords, even if an outside account is breached and your Onyen username is the same as that username, your UNC password will be different from other passwords you might use.For full details on UNC-Chapel Hill password policies, you can find more information on the ITS Policies, Procedures and Guidelines page, and also at help.unc.edu.
That all sounds good, but how am I supposed to keep track of different passwords, especially complicated ones?
One option is a little piece of paper next to your computer…but that is a terrible option! Instead, check out a password manager. A password manager will securely store your passwords for sites and applications, and even help generate complex passwords that it will remember for you. There are many options for password managers out there, if you would like guidance as to which might be the right fit for you, contact the Information Security Office via security@unc.edu or call 919-445-9393.