Strengthening Your Online Security: A Beginner's Guide to Better Memorized Secrets

Why did the password manager go to therapy? Because it kept forgetting everything, even itself!

In today's digital landscape, keeping your online accounts secure is more important than ever. One of the key ways to do this is by creating strong memorized secrets. But what exactly makes a memorized secret strong, and how can you ensure yours is up to par? Let's break it down using simple language.

What Are Memorized Secrets?

When you log in to your online accounts, you typically use a memorized secret, which is something you choose and remember, like your pet's name or a series of numbers. The goal is to make it hard for others to guess or figure out your secret.

Consider the evolution of password security. Over two years ago, The National Institute of Standards and Technology (NIST) revolutionized the standards, advocating for longer, more complex passphrases over traditional passwords. Yet, despite this progressive shift, many still cling to outdated practices.

But it's not just about staying ahead; it's about embracing a more secure future. Passphrases offer greater complexity and memorability, making them inherently stronger than traditional passwords. And with the imminent adoption of NIST's recommendations, now is the perfect time to make the switch.

Making Your Memorized Secret Strong

Here are some tips to make sure your memorized secret is strong:

Length Matters: Your memorized secret should be at least 8 characters long. If you can, make it even longer for added security.

Mix It Up: Use a combination of letters, numbers, and special characters (like ! or #) in your memorized secret. This makes it harder to guess.

Avoid Common Choices: Stay away from using easily guessable memorized secrets like "password" or "123456." Get creative and choose something unique to you.

Keeping Your Memorized Secret Safe

Once you've picked a strong memorized secret, it's important to keep it safe:

Don't Share It: Never share your memorized secret with anyone, even if they ask nicely. Your memorized secret is your secret, and sharing it can put your accounts at risk.

Use Different Memorized Secrets: Avoid using the same memorized secret for multiple accounts. If one memorized secret is compromised, it won't affect your other accounts.

Stay Vigilant: Keep an eye out for suspicious activity on your accounts. If something seems off, like unexpected login attempts, change your memorized secret immediately.

Tools to Help You

There are also some handy tools you can use to make managing your memorized secrets easier:

Memorized Secret Managers: These tools store all your memorized secrets securely in one place, so you don't have to remember them all. Just make sure to choose a reputable one.

Security Alerts: Some websites offer security alerts that notify you if your account may have been compromised. Take these warnings seriously and take action to protect your account.

My Experience and back-of-mind memory with the term, 'Memorized Secret'

https://www.schneier.com/blog/archives/2016/11/dumb_security_s.html/#comment-287934 (in comments)

I stumbled upon an interesting article back in 2016 that shed light on the intriguing intersection of human behavior and online security. In the article, it was revealed that nearly four in ten Americans would be willing to sacrifice a year of sex in exchange for perfect computer security. This eyebrow-raising statistic, uncovered in a Harris Poll survey conducted on behalf of Dashlane, highlighted the extent to which people value their online security.

Coincidentally, around the same time, discussions were brewing regarding the forthcoming release of the National Institute of Standards and Technology's (NIST) new "Digital Authentication Guideline." This draft aimed to address the evolving landscape of online authentication and identity management. As part of earlier revisions, NIST's identity authentication special publication 800-63 was divided into several documents, each focusing on different aspects of authentication, enrollment, and identity proofing.

Of particular interest was the emphasis placed on authenticator assurance levels (AALs), with requirements varying depending on the level of security needed. Notably, while a "Memorized Secret" was deemed acceptable for AAL 1, AAL 3 mandated the use of a "Multi-Factor Crypto Device" or a "Single-Factor Crypto Device" paired with a Memorized Secret. This signaled a shift towards more robust authentication measures to combat the growing threats in cyberspace.

The transition from 2016 to 2024 paints a vivid picture of the evolving dynamics in cybersecurity. What began as a startling revelation of societal attitudes towards online security in 2016 has since matured into a landscape characterized by proactive measures and heightened awareness. The juxtaposition of the Harris Poll survey findings with the advancements in NIST's Digital Authentication Guideline highlights a journey marked by innovation and adaptation. As we navigate the complexities of the digital age, the collective commitment to fortifying digital defenses serves as a beacon of hope for a safer and more secure online future.

A Comparative Analysis of Password Practices and NIST Recommendations

Thank you John Young MBA CISSP CCSP CGRC CSSLP SSCP CC CISM CBSP for your article What The Hell Is a "Memorized Secret"? Go Ask NIST, It gave a decent idea and comparative lens to this article.

Past Best Practice: Users are forced to make password changes in time intervals determined by the institution, such as 30, 45, 60, or 90 days.

Recent Thought Process: Forcing users to arbitrarily change difficult passwords on certain dates is a burden for the user, and in response, they create less secure passwords.

New NIST Recommendation: Instead of passwords, users can create phrases that'll be known from now on as “Memorized Secrets”. Users will be allowed to change a memorized secret when they want to, with no set date, although memorized secrets must be changed immediately in cases where a security breach is suspected.

Comparison: The shift from mandatory password changes at set intervals to allowing users to change memorized secrets at their discretion aligns with the understanding that forced changes often lead to weaker passwords. This change empowers users to prioritize security without the burden of arbitrary deadlines.

Past Best Practice: After a person has typed in an incorrect password, a security question is provided on the screen to help jar their memory.

Recent Thought Process: Posing a security question after a user fails to log in successfully has proven to be highly ineffective and can aid hackers.

New NIST Recommendation: No security questions are to be provided when a login failed after an incorrect memorized secret was entered.

Comparison: Eliminating security questions after failed login attempts acknowledges their ineffectiveness and removes a potential vulnerability exploited by hackers. This simplifies the authentication process while enhancing security.

Past Best Practice: Passwords must be a mix of uppercase and lowercase letters, as well as contain at least one number, and one special character.

Recent Thought Process: Users shouldn't be forced to include a mix of letters, numbers, and special characters in their memorized secrets as it makes remembering them more difficult.

New NIST Recommendation: Users are encouraged to mix in any characters they like, including spaces, to create their memorized secrets. This results in a sentence structure that’s much more effective as a security defense than a standard password.

Comparison: Moving away from rigid composition rules acknowledges that complexity does not necessarily equate to security. Allowing users the flexibility to create memorable phrases enhances usability without sacrificing security.

Past Best Practice: The password length must be between 8 and 16 characters long, with an 8-character minimum length, and a 16-character maximum length.

Recent Thought Process: The former 16-character maximum length was too restrictive, and users should be encouraged to create longer memorized secrets.

New NIST Recommendation: Extend the maximum length to 64 characters, promoting the utilization of memorized secrets that are more like sentences. This exponentially increases security by adding more variables for hackers to crack.

Comparison: Increasing the maximum length of memorized secrets acknowledges the importance of length in security while providing users with the flexibility to create stronger, more memorable secrets.

Past Best Practice: If an incorrect password is entered 5 times, the user account is locked out, and the amount of attempts they have left is never displayed.

Recent Thought Process: Limiting the amount of incorrect entry attempts discourages users from creating complex passwords and increases user anxiety.

New NIST Recommendation: Allow at least 10 entry attempts of the memorized secret, and let the user see how many attempts they have left. This encourages the creation of complex memorized secrets while reducing user anxiety.

Comparison: Increasing the number of entry attempts and displaying remaining attempts aligns with the goal of promoting strong memorized secrets without penalizing users for mistakes.

Past Best Practice: Password characters are very briefly displayed on the screen as they’re typed in, and immediately replaced by an asterisk.

Recent Thought Process: Allowing users to view one character at a time as they type in memorized secrets reduces frustration and failed entry attempts.

New NIST Recommendation: Display the character just typed while hiding the one before it. This reduces failed entry attempts and frustration while maintaining security.

Comparison: Enhancing the visibility of entered characters while maintaining security strikes a balance between usability and protection against unauthorized access.

Final Thoughts

So why not be the first to embrace this change? Instead of conforming to minimum requirements, dare to extend your passphrase beyond the norm. While your organization may only mandate 8 characters, there's no limit to how secure you can make your memorized secret.

By following these simple tips, you can create stronger memorized secrets and better protect your online accounts. Remember, your memorized secret is your first line of defense against cyber threats, so make it count!

Word to remember : Zeroization

Meaning : Destroy

Reference : NIST SP 800-56B Rev. 2

Definitions:

?An action applied to a key or a piece of secret data. After a key or a piece of secret data is destroyed, no information about its value can be recovered. Sources: FIPS 186-5 under Destroy ??

A method of erasing electronically stored data, cryptographic keys, and credentials service providers (CSPs) by altering or deleting the contents of the data storage to prevent recovery of the data. Sources: CNSSI 4009-2015 from FIPS 140-2 ??

In this Recommendation, an action applied to a key or a piece of secret data. After a key or a piece of secret data is destroyed, no information about its value can be recovered. Also known as zeroization in FIPS 140. Sources: NIST SP 800-56B Rev. 2 under Destroy ??

A method of sanitization that renders Target Data recovery infeasible using state of the art laboratory techniques and results in the subsequent inability to use the media for storage of data. Sources: NIST SP 800-88 Rev. 1 under Destroy

References taken for this article:

• https://pages.nist.gov/800-63-3/sp800-63-3.html
• https://csrc.nist.gov/glossary
• https://cybersecurity.att.com/blogs/security-essentials/be-the-leader-in-the-new-password-volution-memorized-secrets
• https://www.dhirubhai.net/pulse/what-hell-memorized-secret-go-ask-nist-john-young-aka-johne-upgrade/
• https://www.schneier.com/blog/archives/2016/11/dumb_security_s.html/#comment-287934
• Microsoft Designer , for the cover page.
• ChatGPT , making it easy for searching the links for some content.