Top Ten 2019 Password Security Standards

Here are the top ten password security standards and specification for 2019. Use these tips to increase your overall security and remember, your server is only as secure as your weakest password or point of authentication.

Follow these top 10 best practices for 2019 to better protect all of your information.

Best Practices

NIST: the (National Institute of Standards and Technology) is defined as:

“the non-regulatory federal agency whose purpose is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology, in ways that enhance economic security and improve our quality of life.”¹

We take our queues from this agency as the national standard for many measurable references including passwords. They have updated and revised the newest password standards for 2019;

Here is a summary of that information:

DO:

• DO use passwords of at least eight characters or longer if set by a person: The more characters you use, the more difficult a password is to crack. Length is key. Create lengthy passwords of at least 8 characters!
• DO use passwords of at least six characters or longer if set by a system or service: If you have a system in place that allows for new user creation, e.g. an eCommerce site, a forum or basically any type of site that allows new users to sign up, the software should never allow less than a six character password.
• DO allow support for at least a 64 character length:  This setting should allow for use of passphrases when selecting a password
• DO use a combination of all ASCII character types: Use numbers, lowercase letters, uppercase letters and symbols in your password.
  (ex. XkeDZaJ6QG3E8!jKq3%yIOd3) This increases the overall entropy of the password and increases its chances of being compromised (Password entropy is the measure of how arbitrary or uncertain a password is. A password’s entropy is based on the type of character set used (including uppercase, lowercase, numbers, and special characters) and the length of the overall password.)
• DO create unique passwords: Each password you use should be for a unique to each service you use (ex. cPanel, MySQL and, your bank account should all have different passwords).
• DO verify your password is NOT listed in known “Password Dictionaries”: Using an online tool or software (in your program) should check against known password lists and should always be utilized
• DO use a password manager: Current best practice dictates that users should use a password manager to remember long, difficult passwords
• DO randomly generate the password: Use one of the following sites to generate a secure password: Norton by Symantec, Random.org, or Random Password Generator
• DO allow for at least 10 password attempts before a lockout Is Initiated: The specified threshold is usually a balance between practicality and security depending on your companies risk level. This should be an adequate balance between allowing for possible user error and, limiting brute force attacks
• DO Use A two-factor (2Fa) authentication system: The use of a Multi-factor Authentication system as part of your security protocols will add an additional layer of protection. This includes methods like hardware key fobs, software like Google Authenticator and readable biometric data.

DO NOT

• DO NOT Use Dictionary Words: If your password is pizzatime, your server is probably already hacked or worse yet, rooted.
• DO NOT Change Your Password Often: Changing your passwords regularly is now discouraged according to the latest NIST research.
• DO NOT Use Pets, People, Places, Events, etc.: We are absolutely sure your dog is awesome and adorable but, it’s name can be an easy guess if someone is gathering info on you and would not make a good password. That is unless her name is B1gg13 $m@LL$ bu$t3r B3LLy J3lly b3an! That would be cool.
• DO NOT Reuse Passwords: If your password for an account was “Quixotic.Princess1“, and you were forced to change it, don’t change it to “Quixotic.Princess2“. If you have to change it again, do NOT go back to “Quixotic.Princess1“. Create a new, unique password!
• DO NOT Use Adjacent Keyboard Strings: qwerty1234 is not a secure password; neither is using a keyboard pattern of ANY kind (e.g… wazsedxcfr or poilkjmnb). These keyboard patterns have been taken advantage of and are part of the software programs malicious actors used to scan for passwords.

Examples

BAD Passwords:
awesomedog1
sunshine12
coolguy18

GOOD Passwords: (please don’t use these)

• Da$up#aPhAJ*cRe3
• *@7X#JjI6j4e#cC2ax
• 8c0e^zi&ISEk%9&0Wa

Passphrases

I am sure we’ve all seen or remember the comic from xkcd regarding passwords…

A joke, a hobby, a quote from a book/movie or, an interest of some sort can be used as the basis for a secure password. Take the quote, “May the force be with you.” from Star Wars. We can build this into a more secure password by simply changing out some characters and adding a few numbers: May1the2force3be4with5you6! That’s a more secure password that would be much easier to remember but would I trust my banking information to that password? Probably so but I think I can do better…

This gives us the following score:

Score:	100%
Complexity:	Very Strong

The site https://howsecureismypassword.net/ states:

It would take a computer about 682 NONILLION YEARS to crack your password

That’s 10³⁰ years! I’m ok with this…

But using this same movie quote and turning it into a passphrase increases its security even further; Going from “May the Force be with you.” converted to something like M@y Th3 F0rC3 b3 w1tH y0u!
This gives us the following score:

Score:	100%
Complexity:	Very Strong

The site https://howsecureismypassword.net/ states:

It would take a computer about 3 DECILLION YEARS to crack your password

That’s 10³³ years! I’m better with that…

GOOD Passphrase Examples:

• G0 @h3@d, M@k3 My Day!
• *M@y tH3 F0rc3 b3 W1th y0U*
• TH3r3’5 n0 pL@c3 l1K3 h0m3_

Remembering Passwords

The use of password managers is now recommended and can improve your ability to utilize stronger passwords but, bear in mind that a Password Manager is only as strong as its gateway passphrase which can allow access to ALL of your passwords.

Although Liquidweb does not endorse any specific password manager, we can, however, provide a list of the most popular ones:

• Keeper
• Dashlane
• LastPass
• 1Password
• 1KeePass 
• PWSafe
• Here is a full list of all the major password managers information.

Authentication

The newest models for multi-factor authentication ideally identifies four common factors as the essential methods of authentication:

• Something you personally know (e.g., a passphrase).
  Something you personally have on you (e.g., an employee ID badge or a key fob).
  Something you personally own (e.g., a fingerprint, facial recognition, retinal ID or, other types of biometric data).
  Somewhere you specifically are (e.g… your GPS location or on a network at work)

Tools

Here are two sites that test for password strength to test out your password strength.
https://howsecureismypassword.net/
http://www.passwordmeter.com/

Here is a reliable site to see if any of your existing passwords have been compromised
https://haveibeenpwned.com/Passwords

Utilizing one or more of these options to your increase in password strength can significantly improve your overall security and protection. Would you like to know more about the security tools Liquidweb has available? Open a ticket with us at support@liquidweb.com, give us a call at 800-580-4985 or open a chat with us to speak to one of our Level 3 Support Admins or a Solutions Advisor today!

https://r8s.io/2t