Blog / Do you have to keep changing cybersecurity best practices?
It’s really annoying!
When it comes to all things computers there’s one rule to keep in mind: Things change quickly. What things? All of them. Could I possibly be more specific? Not really, because everything keeps changing.
It may sound like I’m being silly, but remember Windows 7? It wasn’t too long ago that many of our clients were still using it. And of course after Windows 7 came Windows 8, then 10, and now we’re on Windows 11. Windows 7 is so old that it’s three major releases back in the past, yet it’s likely that a sizeable portion of the people reading this newsletter are still using it at home. Not the majority, but a good chunk.
Which ultimately bring us to the main question of this weeks newsletter.
Why do cybersecurity recommendations keep changing?
And for a specific example, let’s look at how password recommendations have changed over time.
If we roll back the clock to when computers were first becoming a mainstream tool in business, a good password was one that was complicated and full of lots of numbers or special characters, something like “91ck@chu”. Over time that logic changed to suggest people use a longer password like “TheWizardOfOZ”. Next the definition of a good password evolved into being a phrase, like “I need to think of a new password February 2023” and to change it often. Now the standard recommendation is a long password or passphrase that you don’t need to change quite as often, and is backed up with MFA.
Remember that initially password lengths were limited to a maximum of 9 – 10 characters, and computers in those days were slow and not very powerful. Most attacks on passwords could and in fact were performed manually so a good password was one that would be hard for a person to guess. As time went on and computers got more powerful, passwords evolved to be longer, and computers could be used to attack passwords faster than a person could. Naturally the advice changed to make things harder for computers rather than people, so longer passwords that were regularly changed became the standard. A good password in this era was something that was easy for a person to remember (rather than a string of random characters) and got changed every 3 months or so.
Which was all well and good until, inevitably, things changed once again. Computers grew even more powerful and hackers got better at their craft. Furthermore, the good guys started paying attention and watching what people were actually doing, which is when it was discovered that, well, in general humans are lazy, so advice that seemed valuable–change your password every three months–was resulting in people changing from “MyP@ssword1” to “MyP@ssword2.” The best advice in the world does no good if it isn’t followed, so with the advent of easily-available multifactor authentication, the password no longer held the entire authentication burden. As a result, current advice is to use a robust password, changed occasionally, and supported with MFA.
The long and the short of it all is to remember that all things change, cybersecurity as well. As for the why, well, it might not be a satisfying answer, but it’s true that things just do. This means that best practices recommendations need to keep up. Old advice isn’t as good as new advice and using it could be worse than doing nothing.
If you’d like help updating your password policies or other cybersecurity practices, feel free to contact a TRINUS cybersecurity expert.
This quote comes from the Shakespeare play King Lear and and simply goes; “I’ll show you differences.”
Be kind, courtesy your friendly neighbourhood cyberman.