Home / Blogs

M3AAWG Offers Some Sensible Password Advice

Don't miss a thing – sign up for CircleID Weekly Wrap newsletter delivered to your inbox once a week.
John Levine

M3AAWG is a trade association that brings together ISPs, hosting providers, bulk mailers, and a lot of infrastructure vendors to discuss messaging abuse, malware, and mobile abuse. (Those comprise the M3.) One of the things they do is publish best practice documents for network and mail operators, including two recently published, one on Password Recommendations for Account Providers, and another on Password Managers Usage Recommendations. Since I'm one of M3's senior technical advisers, I helped write them, but I think they're pretty good anyway.

Rather than just regurgitate the usual unworkable advice (make each password 14 different random characters, change them every week, and never write them down) we tried to look at the real threats on the current Internet and offer advice that makes sense today. The password advice does recommend strong passwords or pass phrases, but then mostly talks about operational issues: do encrypt channels where passwords are sent via HTTPS or the like, do use multiple factors where possible, do use federated authentication to minimize the number of passwords people have to use, do make users change default passwords before using a new account, and don't do hard account lockouts after password failures (an easy way to harass your enemies.) While it does say to make it easy for users to change passwords when they want, it doesn't recommend required password changes, since that is counterproductive--people use a pattern like password1, password2, password3, write them down, or most likely both.

The whole document is 8 pages long, so it's worth downloading to read the whole thing.

The password recommendations also encourage people to use password managers, the topic of the second document. A good password manager makes good password discipline much easier, since it can remember different totally random passwords for every account, and won't forget them. Many of them can keep the list of passwords in sync between a laptop and phones and tablets, a boon for whose of us with aging memories. This paper is only three pages, short enough to download and print out and send around to people who don't understand why they're a good idea.

There are lots more best practice documents on the M3AAWG web site. I'll blog about some of the others in the future.

By John Levine, Author, Consultant & Speaker. More blog posts from John Levine can also be read here.

Related topics: Security

 
   

Comments

To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Sponsored Topics

Promoted Posts

Now Is the Time for .eco

.eco launches globally at 16:00 UTC on April 25, 2017, when domains will be available on a first-come, first-serve basis. .eco is for businesses, non-profits and people committed to positive change for the planet. See list of registrars offering .eco more»

Boston Ivy Gets Competitive With Its TLDs, Offers Registrars New Wholesale Pricing

With a mission to make its top-level domains available to the broadest market possible, Boston Ivy has permanently reduced its registration, renewal and transfer prices for .Broker, .Forex, .Markets and .Trading. more»

Industry Updates – Sponsored Posts

Leading Internet Associations Strengthen Cooperation

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast

Government Guidance for Email Authentication Has Arrived in USA and UK

ValiMail Raises $12M for Its Email Authentication Service

Don't Gamble With Your DNS

Defending Against Layer 7 DDoS Attacks

Understanding the Risks of the Dark Web

New TLD? Make Sure It's Secure

Verisign Releases Q2 2016 DDoS Trends Report - Layer 7 DDoS Attacks a Growing Trend

How Savvy DDoS Attackers Are Using DNSSEC Against Us

Facilitating a Trusted Web Space for Financial Service Professionals

MarkMonitor Partners with CYREN to Deepen Visibility into Global Phishing Attacks

Verisign Named to the Online Trust Alliance's 2016 Honor Roll

Verisign Q1 2016 DDoS Trends: Attack Activity Increases 111 Percent Year Over Year

Is Your TLD Threat Mitigation Strategy up to Scratch?

i2Coalition to Host First Ever Smarter Internet Forum

Encrypting Inbound and Outbound Email Connections with PowerMTA

Resilient Cybersecurity: Dealing with On-Premise, Cloud-Based and Hybrid Security Complexities