Tag Archives: password manager

New from NIST: Improve Your Security, Rethink Password Policies

Posted on by
Reply

Passwords remain a major risk to enterprises. This is true even though safe password practices have been widely promoted for a decade. Nearly half (49%) of incidents cited in Verizon’s 2023 Data Breach Investigations Report involved compromised passwords.

Enter NIST’s new Digital Identity Guidelines, SP 800-63-4. In the new report, NIST advocates for dropping onerous password requirements and focusing on the practices which are most effective. Let’s look at a few of the updated guidelines.

  • Do not require users to change passwords periodically, only mandate change when there is evidence of compromise.
  • Require passwords with a minimum of eight characters. The recommended length is minimum 15 characters.
  • Do not impose other composition rules, e.g., requiring mixtures of different character types.
  • Do not prompt users to use knowledge-based authentication, e.g., “What was the name of your first pet?”

Mandatory password changes are ingrained in enterprises. But NIST considers mandated changes to be outdated. Research has found that frequent password changes lead people to make minor changes which fit into a pattern, e.g., MinnVikings56 is followed by MinnVikings57. These patterns are often quickly cracked by algorithms. NIST recommends changing passwords only when there is evidence of compromise.

To make passwords safer, NIST recommends long passwords, at least 15 characters. A 12-character password takes 62 trillion times longer to crack than a six-character password.

Per NIST, passwords should consist of random characters or phrases.

There is an inherent challenge with requiring passwords to be long and strong. Long and strong passwords are difficult for humans to remember. To accommodate our limited memories, people devise hack-able workarounds. LastPass reported in 2022 that 65% of those surveyed use mostly the same password or a variation.

NIST has a recommendation for humans and our fallible memories.

Verifiers SHALL allow the use of password managers. Password managers have been shown to increase the likelihood that users will choose stronger passwords, particularly if the password managers include password generators.

Leading password managers include LastPass, 1Password, and Dashlane. In volume, the highest-rated password managers cost four or five dollars per user, per month.

You can improve your company’s security posture by starting with these two NIST recommendations:

  • Adopt the counter-intuitive practice of not mandating password changes.
  • Provide password managers to help employees use long and strong passwords.

And please, don’t ask me for the name of my first pet.

-Maureen

Maureen Blando is the President and COO of Mobile Helix, makers of the LINK App for lawyers.

NIST Definitions

Authenticator: Something that the subscriber possesses and controls (e.g., a cryptographic module or password) and that is used to authenticate a claimant’s identity. See authenticator type and multi-factor authenticator.

Shall: The terms “shall” and “shall not” indicate requirements to be strictly followed in order to conform to the publication and from which no deviation is permitted.

Should: The terms “should” and “should not” indicate that among several possibilities, one is recommended as particularly suitable without mentioning or excluding others, that a certain course of action is preferred but not necessarily required, or that (in the negative form) a certain possibility or course of action is discouraged but not prohibited.

Subscriber: An individual enrolled in the CSP identity service.

Verifier: An entity that verifies the claimant’s identity by verifying the claimant’s possession and control of one or more authenticators using an authentication protocol. To do this, the verifier needs to confirm the binding of the authenticators with the subscriber account and check that the subscriber account is active.

My Four Favorite Charts from the ILTA 2022 Technology Survey

Posted on by
1

The International Legal Technology Association’s 2022 survey is a broad treasure trove of data reported from 541 law firms.

There are 11 major topics including Infrastructure, Document Management, Practice Management, and Business Continuity.

My focus is on four of the twenty-seven questions surveyed in the Security section.

  1. Password Management
ILTA 2022 Technology Survey

Password managers are one of the most highly recommended solutions for security. They help with: using complex passwords, deterring repeat usage of passwords, and providing secure storage for passwords. There is a learning curve to using a password manager, but once I got up to speed, I wondered how I would live without it. We have so many passwords to juggle these days. I am surprised that 50% of respondents are not providing a password manager.

2. Multi-factor Authentication

ILTA 2022 Technology Survey

Perhaps the single most recommended security mitigation is multi-factor authentication (MFA). Here we see Duo Security (a Cisco company) is the leader at 45%. There are three Microsoft solutions listed which total 27%.

In legal tech, it’s notable when a third-party solution is more widely adopted than a Microsoft solution as most law firms operate on the Microsoft stack.

3. What do You Secure with MFA?

ILTA 2022 Technology Survey

The largest response is VPN/Remote Access. Then Office 365. It’s very good to see high adoption of MFA for these widely used applications.

4. Which Phishing, Vishing, Social Engineering, or Security Awareness Program?

ILTA 2022 Technology Survey

KnowBe4 is the stand-out at 62%. Others used are Mimecast, Traveling Coaches, Proofpoint, managed service providers, and solutions developed in-house. Only 7% reported “None.” As phishing and social engineering are the cause of about 90% of exploits, law firms are wise to have these programs in place.

You may access the full data-rich report or the executive report from ILTA. Here is the download page.

-Maureen