What a wonderful thought and a great step in the right direction – Let’s deny the use of the 10,000 worst passwords. I am being serious as is this article. It is time to stop simply laughing at the poor decisions of our end users and begin to build controls and limitations on poor password decisions. It is time to mandate better credentials – passphrases, multi-factor authentication requirements, and proper password management tools. It is time for webmasters and sysadmins to pick up the torch of password security and quick bending to the whim of a lowest common denominator approach to end user management.
Kudos to Microsoft for heading down this path and taking one more step closer to better password security. It is still not a perfect world scenario, but it is better than the basic controls inherent to the OS.
So many words to describe the statistics shared in this article – sad, depressing, pathetic, lazy…did I mention sad and depressing. There really is no reason for this. Strong, safe, effective password managers exist. They are free or cost effective. They are easy to use. They truly save time and money. We really have no good excuse to be in this situation.
I am a firm believer that a good password manager should be an essential part of every person’s security toolbox. Lastpass has been a strong player in this space for some time and has built a strong user base through the availability of a feature rich free production version. These changes in the Lastpass pricing structure may cause some to pause when looking at the product, but it should not cause anyone to walk away from the value of sound password management.
Here is some additional motivation to stop the reuse of credentials across multiple services and websites.
As this article states, the biggest challenge in a breach like this is the fact that so many users reuse the same usernames and passwords across a large portion of their online accounts. If you are a user of this service, you have already been forced to change your password. Take this breach as a warning to not replicate the same credentials all over the internet. Use a password manager. Use unique passwords.
This is exciting news and a very smart, practical move by the team at NIST. Length of passwords trumps complexity in most situations when an end user is left to his or her own devices. I am glad to see these changes and encourage all administrators and IT security professionals to use these changes as an opportunity to better educate end users in the proper set up and usage of passwords.