Update: The recently released U.S. National Institute of Standards and Technology (NIST) Digital Identity Guidelines recommend longer passwords. It’s important for security professionals to keep abreast of modified recommendations due to advancements in computer power and technologies through their Guardian Support Service.Rick Gorskie
Generally, we (carbon-based lifeforms) are terrible when it comes to selecting a secure password for our computers or software programs. This comes from not being prepared for the inevitable password question when installing new software or setting up new hardware.
We panic and select something that often is way too common or easy to remember but that also means that it will be too easy for a hacker to guess or to “crack”. We just say “I’ll come back and change that later so I’ll just use one that is easy to remember for now” but we seldom remember to do so. Nobody said that effective credentials management was convenient but it beats the inconvenience of being hacked!
Consider doing the following:
- Use combinations of numbers, upper- and lower-case letters and special characters.
- Select a suitable length of at least 8 characters but the longer, the better.
- Try using pass-phrases (or derivatives of a phrase) like:
- “IloveCybersecurity!” or “Whatyamacallit?”
- “I love to run 5 miles Every Day” is used as: Iltr5mED!
- Or use something that IS clearly misspelled.
- Consider using password vaults to manage your growing list of passwords.
- Consider changing your passwords regularly, even when you are not prompted to do so.
- Consider using 2-Factor Authentication log-in techniques which generally require two forms of authentication before you can enter the site/program.
Consider avoiding the following:
- Avoid using single, common words or strings of numbers (i.e. 22222222, 12345678, etc.)
- Avoid using personal data in your password (i.e. your name, address, phone numbers, birthday or other information that may be available on social media.
- Do not use the same password for multiple accounts or sites (wow, that’s a lot of passwords to remember).
- Avoid writing these passwords down or compiling a spreadsheet and storing them on your computer (yes, password-protected spreadsheets can be easily cracked).
- Do not answer prompts to auto-save your password for a site with an automatic “yes” (especially when using shared devices).
- Avoid using the same password again on a given site or program.
- Never share your password(s) with anyone!
Using a Password Manager
For users with large amounts of passwords to manage, there are commercial solutions available that will store and manage your password library. Depending on the selected vendor, these managers store your passwords for you and automatically fill out your log-in forms. Preferably, choose offline versions of such password management programs, but if it is important to use the convenience of online synchronization features, just make sure you change passwords frequently and have a plan in case the program vendor’s database is somehow compromised by hackers.
Remove Default Passwords
For users who utilize software that is delivered or installed with “default” passwords, disable, delete or change the default passwords to something other than what was delivered with the system as soon as possible.
Industrial Control Systems also rely on user credentials and similar recommendations apply to those passwords. For DeltaV systems, the DeltaV Security Manual
provides guidance around passwords complexity, default passwords, expiration period and prompt, as well as password reuse.
Contact your local Emerson Sales or Service Representative and request the latest DeltaV Security Manual, an important cybersecurity manual for the full “best practice” recommendations for security for DeltaV process control systems. It is also available under the Resources page within Guardian Support web portal.