Passwords and Parades
Erik Boemanns
Derisking technology with a lawyer's lens and a technologist's techniques. Governance, Risk, Compliance, and Security Executive supporting businesses focused on their next stage of growth.
Passwords are like parades - the longer the better - unless they get too long.
I got to enjoy my home town tradition of the 55th Annual Sorghum Festival this past weekend. It kicks off with a parade, which wraps around the historic court house. I grew up watching the parade every year, and have managed to get back there to let my kids see it many times as well. Over the years it gets longer, scales back, and changes each time. Year over year you may miss a favorite float which didn't come back. But you'll see something new and enjoy the energy and creativity they put into bringing it together.
Check out a selection of the parade in the photo above!
As we wind through week two of Cybersecurity Awareness Month, my focus has been to talk about the importance of strong passwords. As I watched the parade, it struck me that there are some odd similarities between passwords and parades. Especially passwords you create yourself.
Here's a two fun similarities and whether they should be part of your good, strong password plan in 2024.
They both seem random.
As each float went by, I couldn't discern an obvious reason why the floats and cars were in this particular order. Sometimes things were grouped together, like the Jeeps, but other times you might have a classic car, a tractor, and a float. But if you've watched enough parades, you'll know they really aren't random. They almost always begin with an emergency vehicle (police or fire typically). Soon after will be a marching band or two (the military band, the local high school band, and maybe another one as well. The classic cars tend to be together. The marketing floats are near each other as well. And this parade always ends with the horses.
Similarly, we like to think the passwords we make up ourselves are random. Maybe we pick a few words and stick them together. Or we pick a name or a date which matters to us and then apply some "random" noise to it to trick anyone. But then, we don't really make it random. Most passwords end up with a capital letter in the beginning, and 3's for E, @ for A, and 0 for O, as well as all the other substitutions we've all learned. We end up creating a fairly predictable pattern despite our attempts to hide our otherwise obvious password.
Check out xkcd's strong password cartoon for a great example of this pattern and how it's both predictable and hard for us to remember (and type) as well. It also suggests a random word selection is stronger and easier to remember. It's not wrong, if the words are truly random, and not just objects you can see from your desk. But if you look at their four words - notice, just like my hometown parade, there's a horse in it.
Longer is better.
The NIST has been revising their password guidance since 2017, with their recommendation to get rid of the complexity rules and instead just have a minimum length.
(Check out the NIST Special Publication 800-63B Digital Identity Guidelines from 2017)
It received new attention this past September as the latest version was released (available here https://pages.nist.gov/800-63-4/sp800-63.html ).
The main point is the minimum password length should be 15 characters (but up to 64 characters supported). And complexity rules should not be used. Gone are the days where you have to create a password so complex there are only three passwords available which meet the rules. (Try the https://neal.fun/password-game/ for a great example of why we should celebrate this going away.)
Parades, on the other hand, also should be sufficiently long. But not too long, as we all do eventually get tired of cheering and standing their watching. Plus eventually the traffic you've stopped needs to get where it's trying to go.
Passwords and parades - end cap
While most of your hand made passwords had a ! on them (or maybe !! if you're more security conscious), the parades with horses used to have a person with a shovel. Both endings are predictable, and help us know we're done and can click the proverbial "next" button.
If your passwords today are just 8 or so letters, numbers, and symbols trying to hide your favorite child, pet, or car's name, know that you'd be better off just stringing together the names of four different floats in a parade. The length alone would make it more secure, and you're more likely to remember it every time. But even better is to hand off your password creation to a password safe.
Hand off your password creation to a password safe.
You need a different password everywhere you use one for good security. So, you'll end up needing to save them somewhere. And if you're using a software safe, it can handle the job of creating 15 to 64 character long randomness. You don't have to remember or type it in ever again, and care whether it's easy or hard. (Unless it's your streaming service account on your smart TV, then you'll hate 32 random characters). But for the banks, emails, work accounts, and anything protecting critical data or money - aim for long and truly random and you'll be more secure in your cyberlife.
As you think about parades and passwords - what are some other surprising or fun similarities? Be sure to share them in the comments below!
Upcoming Live Event
I'm excited to have the opportunity to speak at ISSA Metro Atlanta Chapter's October meeting. I'll be discussing Identity and Access Management and the technologies which drive it.
In Atlanta? Come out in person! Remote, there's a Zoom option. It's free to all who want to join us.
Thursday, October 24 · 6 - 8pm EDT
For more details and to register, click here:
领英推荐
In case you missed it...
My Cybersecurity Awareness Month Live Event here on LinkedIn was this past Monday.
Week In Review
You've enjoyed my cybersecurity focused polls this past week. Check them out, there's still time to vote and join the conversations!
Thanks for everyone who has engaged so far with these posts. Together we are helping spread cybersecurity awareness - all month long!
In Conclusion
This week was all about strong passwords. We'll dive into MFA next week, and then updating strong passwords the last week. Afterwards, my newsletter will resume it's normal random topics.
Don't forget, if you are looking for a job and want to be in the job seeker spotlight, the You Just Found ME?? job seeker spotlight is still going, please reach out!
As I'm growing my business, I'm looking at how to engage with private equity firms, law firms, and start-ups facing their next challenge - so if you're connected to any of these worlds, let's chat soon! I also offer referral bonuses to any work you bring me through Mirability, LLC - if you're interested. If there's anything I can help you with, I'd love to hear about it.
I hope this coming week is exactly what you need it to be!
Thanks, as always!
Be sure to check out my new online merchandise. Remember, 100% of the profits for any You Just Found ME merchandise goes to support that program for job seekers!
If you want to keep up with everything I’m posting, click here and also the bell (??) to be notified when I post!
Follow You Just Found ME?? to help support job seekers!
Follow Mirability, LLC to learn more about how I'm solving unique technology problems!
Subscribe to my Substack here: https://ebspoke.substack.com/
I'm on Medium as well: https://ebspoke.medium.com/
Check out #EBSpoke for more of my recent posts here...
About Erik
Erik Boemanns is a technology executive and lawyer. His background covers many aspects of technology, from infrastructure to software development. He combines this with a "second career" as a lawyer into a world of cybersecurity, governance, risk, compliance, and privacy (GRC-P). His time in a variety of companies, industries, and careers brings a unique perspective on leadership, helping, technology problem solving and implementing compliance.
He's available to help you with any of this now too!
Marketing Strategist for Small Business | Copywriter / Content Marketer | Licensed, Certified, Marketing Coach | Major Market Radio Personality ??
1 个月Wise "practices" indeed, Erik Boemanns ??