Accelerate Tech

White House Executive Order Actually Calls For User Friendly Passwords

Executive Order 13636 Cybersecurity

On February 12, 2013 President Obama uttered similar words. If you’re a Star Wars fan like me, just the very notion brings images of Chancellor Palpatine’s voice with the London Symphony Orchestra playing in the background.

Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” was the first iteration of standards set forth for our nation’s cybersecurity initiative.

“The President will hold heads of executive departments and agencies (agency heads) accountable for managing cybersecurity risk to their enterprises,” the order says.

The order establishes guidelines to improve critical infrastructure security in the cyber age. Among many other things, it provides some strict rules about what could be used for passwords.

Steve Grobman, CTO at computer security firm McAfee, said the following in a statement emailed to Quartz:

Holding agency and department heads accountable is key. This is no different than the paradigm we see in corporate organizations where, although the CEO is not a cybersecurity expert, he or she is ultimately responsible for implementing a cybersecurity plan that mitigates risk to the business.

I couldn’t agree more.

An updated order is signed

More recently, on May 11, 2017, President Donald Trump signed an executive order, “Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” with an updated angle on password use and generation.

I bet you’re going to be surprised with the changes!

Let’s compare the top three changes in password security

OLD: Hard password requirements – Minimum length, special characters, lower case, upper case, and numbers – no wonder you had to write tH1sI5MyP@ssW0rd!! down and stick it under your keyboard!

NEW: user friendly – Maximum length, all ASCII characters (maybe an emoji too?) so “Kiss Is The Greatest Band of All Time” would actually be allowed!

OLD: Password Resets. You must change password every 90 days. You had a hard enough time coming up with the first one, so just add a few more letters, numbers, characters…right?

NEW: No more! Data has found the predictable and scheduled password reset enforcement has led to easier and consistent passwords and a weaker password as a result!

OLD: Putting the burden on you – Asking questions like what was your mother’s maiden name, offering passwords hints – both things you’ll write down on post-it notes – or displaying **** while typing so you have no idea if you missed a character until you’re locked out.

NEW: Putting the burden on THEM – any entity charged with authenticating passwords will be required to guard that database with some heavy-duty encryption.

Most importantly, a new requirement will be 2 Factor Authentication. Beyond a simple text message, this requirement is a huge leap forward and one the experts need to walk you through.

The conclusion

Research has shown (and the president has ordered) that greater password security DOES NOT come from more cryptic password policies. Quite the opposite. The updated order calls for a more friendly, human and less restrictive approach.

Security is an evolution and always a moving target. Accelerate is on top of all things security. We have our finger on the pulse and ready to work on a solution for your business.

Want to learn more about implementing a secure password policy or improving your overall security posture?

Schedule a free consultation