Introduction
Despite technological advances toward password-less authentication, passwords remain the primary gatekeeper for most of our digital lives. However, the approach to password security has evolved significantly based on new research and real-world attack patterns. Here we will guide you through modern password best practices that balance security with usability.
The Current Password Landscape
Recent data reveals concerning trends in password behavior:
- 84 percent of users reuse passwords across multiple sites
- Only 34 percent of users globally utilize a password manager
- Over 20 percent use the same password for personal banking and work accounts
- 50 percent of data breaches involve stolen passwords
These statistics highlight why our University must take a comprehensive approach to password security education and policy implementation.
Modern Password Guidelines: What Has Changed
The National Institute of Standards and Technology (NIST) has significantly updated password recommendations based on years of research, which include the following characteristics.
Length Over Complexity: The traditional approach of requiring complex passwords with special characters has been largely abandoned. Research shows that length is far more important than complexity. A 16-character passphrase like "coffee morning sunshine walk" is exponentially more secure than "P@ssw0rd1!" and much easier to remember.
Elimination of Forced Resets: The practice of requiring regular password changes has been discontinued unless there’s evidence of compromise. Forced resets often lead to predictable patterns that actually decrease security.
Focus on Compromised Credential Screening: Modern systems now check passwords against databases of known compromised credentials, preventing users from selecting passwords that have already been breached.
Based on these guidelines, UMB moved to the NIST-recommended password requirements in 2019.
The Power of Passphrases
Traditional password advice created passwords that were “hard for humans to remember but easy for computers to guess.” Modern passphrases reverse this dynamic:
Examples of Strong Passphrases:
- “bicycle laptop coffee morning seventeen”
- “mountain hiking adventure fantastic weather”
- “library studying productive afternoon session”
These passphrases are:
- Long enough to resist automated attacks
- Memorable for humans
- Easy to type
- Difficult for attackers to predict
Password Managers: Your Essential Tool
Password managers have evolved from nice-to-have tools to essential cybersecurity components.
Security Benefits:
- Generate unique, complex passwords for every account
- Store passwords encrypted and secured behind a master password
- Automatically detect and warn about reused passwords
- Alert you to accounts affected by known data breaches
Convenience Features:
- Auto-fill login forms across devices
- Sync passwords securely across all your devices
- Generate secure passwords instantly
- Store secure notes and other sensitive information
Popular Options:
- Bitwarden: Open-source with free tier suitable for most users
- 1Password: Excellent for families and teams
- LastPass: Widely used with good mobile integration
- Keeper: Strong security focus with university discounts
Multifactor Authentication: Your Security Multiplier
Multifactor authentication (MFA) represents the single most effective security improvement you can implement.
Recommended MFA Methods:
- Push and Verified Push: DUO
- Authenticator Apps: Google Authenticator, Microsoft Authenticator, Authy
- Hardware Tokens: YubiKey, Titan Security Keys
- Biometric Authentication: Fingerprint, facial recognition where available
Avoid When Possible:
- SMS Text Messages: Vulnerable to MFA fatigue attacks
- Email-Based Codes: Compromise of email account defeats the purpose
UMB requires MFA for:
- All University email accounts
- Learning management systems
- Financial and administrative systems
- VPN access to University networks
- Research data repositories
MFA protects your account, but only if you use it wisely. If you receive a DUO push or MFA request that you did NOT initiate, do not approve it.
Attackers are sending repeated requests hoping you’ll accidentally click “Approve.”
- Only approve MFA requests when you are actively logging in.
- Deny unexpected requests and report them immediately.
Your quick action helps keep your account, and the University, secure.
Incident Response
If you suspect your password has been compromised:
- Change the password immediately on the affected account
- Check for unauthorized activity in account logs and settings
- Update the password on any other accounts where it was reused
- Report the incident to CITS Security and Compliance if it involves institutional accounts
- Monitor accounts closely for signs of unauthorized access
Conclusion
Strong password practices and MFA form the foundation of personal cybersecurity. While the specific recommendations have evolved based on new research and threat patterns, the fundamental principle remains: Protecting your digital identity requires both knowledge and consistent action.
UMB is committed to providing tools and training to support good password hygiene. However, the ultimate responsibility lies with each member of our community to implement these practices consistently.