DSNews delivers stories, ideas, links, companies, people, events, and videos impacting the mortgage default servicing industry.
Issue link: http://digital.dsnews.com/i/1214226
76 DITCH THE COMPLEX PASSWORD? If a company fails to properly educate and make employees aware of the dangers of phishing, the most complex password requirements won't matter. Studies show that poor password security instead of password complexity is often a major cybersecurity weakness for most organizations and employees that leads to criminals accessing non-public personal information. e latest password guidelines issued by National Institute of Standards and Technology (NIST) recommend significant changes to the way companies and people approach the complexity and usage of passwords. Among the changes, NIST recommends the removal of periodic password change requirements, dropping the algorithmic complexity that often resulted in passwords that are easily cracked with password cracking tools, and the use of long passphrases instead of developing complex passwords. EASY TO REMEMBER, HARD TO GUESS In what may seem like a 180-degree turn, NIST moved away from what's been promoted for more than a decade, recommending long passphrases in lieu of complex passwords. ese new security guidelines are more focused on creating unique passphrases that users will remember easily, using whatever characters they want, instead of using convoluted and complex passwords that make no sense to the user. MORE IS MORE e NIST password guidelines update requires users to create passwords that consist of a minimum of eight characters. However, it also allows the password form fields to include the use of up to 64 characters. is change was made to help support the use of passphrases. According to the Verizon 2018 Data Breach Investigation Report, lengthy and complexity of passwords are not enough on their own. "Users should use long password phrases consisting of three or more words that normally don't go together but are easily remembered and be at least 15 characters long," suggested Paul Noga, Director of Information Technology and Cybersecurity for Southern Title. "Passwords should be screened against lists of commonly used or compromised passwords. Users should only change their passwords when they suspect there could be a potential compromise." WHAT TITLE AGENTS ARE DOING Noga said his company's minimum password length is set to 15 characters, and it still requires character complexity (special characters, upper and lowercase). He added that Southern Title will soon revisit its policies and likely switch to passphrases with a minimum of 15 characters and maximum of 64. "A passphrase of five words would take a hacker eight years to crack," Noga said. "We are going to set the password expiration to one year and only have user's change their password if we suspect suspicious activity or compromise. Passphrases are easier for users to remember and allowing them to make a long enough passphrase that will be hard to crack with in the password age we set." Remembering complex passwords or long passphrases can be difficult, so many use password managers. Southern Title is looking to purchase the business plan for the password manager Keeper. is will give staff the ability to access the program from multiple devices so the company can centrally manage accounts and allow for recovery. "Password managers allow users to use a different password for every application and website they access," Noga said. "All they need to remember is their password to their vault and they can have the manager randomly generate long complex passwords for everything else. e manager allows them to log on form the vault and it automatically fills in the credentials. is makes their lives much easier and more secure." Ken Kirkner, Director of Global Operations and SVP for Trident Land Transfer Co., agrees that password managers simplify the process. His company uses LastPass, which provides an extension for Chrome, Safari, Firefox, and other browsers. "It is easy to use and a good route to go," he added. In 2018, 83% of people received phishing attacks worldwide, resulting in a range of disruptions and damages. This includes decreased productivity (67%), loss of proprietary data (54%), and damage to reputation (50%). When it comes to the attacks, two in three phishing attempts use a malicious link and more than half contain malware.