Happy Star Wars Day, as well as World Password Day! May the Fourth be with you. Get ready to be bombarded with “May the Fourth be with you” puns regarding your passwords and identity, as this year May 4 is not only Star Wars Day but also World Password Day.Leading up to World Password Day, I received dozens of emails about how bad our password hygiene still is, studies about poor password management, reminders to change passwords, pitches about password managers and biometric options to replace passwords, reminders to use multi-factor authentication (MFA) as well as the standard advise for choosing a stronger password. Some of that advice contradicts NIST-proposed changes for password management.Although NIST closed comments on for its Digital Identity Guidelines draft on May 1, VentureBeat highlighted three big changes. Since this is NIST and changes to password management rules will eventually affect even nongovernment organizations and trickle down to affect pretty much everyone online, it’s important to look at them. Those changes, according to VentureBeat, boil down to:No more periodic password changes. No more imposed password complexity. Mandatory validation of newly created passwords against a list of commonly-used, expected, or compromised passwords.Right now, NIST is working on developing SOFA-B Framework; that is short for the project’s full mouthful of Strength of Function for Authenticators – Biometrics. It will establish a standardized method for comparing and combining authentication mechanisms and “focuses on three core concepts: False Match Rate, Presentation Attack Detection Error Rate, and Effort.” By creating SOFA-B, NIST hopes to “achieve a level of measurability similar to that of entropy for passwords.” SecureIDNews reported:Working with the biometrics community, NIST has a five-step approach to creating the SOFA-B framework:1. Analyzing the attack points of a biometric system2. Requiring baseline security to mitigate common attacks3. Quantifying factors specific to biometric systems4. Differentiating attack types as random attacks or targeted attacks on a known user5. Measuring strength of function for biometric authenticatorsWhy should you care? Because the basis for biometric updates in SOFA-B has worked its way into NIST SP 800-63-3, aka NIST’s Digital Identity Guidelines draft. When it’s done, you might be able to compare the biometric security in one device, say a smartphone, to another. We’ve been hearing that passwords are dead for years, yet for most people wanting to log in on most places online, you still use a username and password—or sign in via another site such as Facebook or Google where you were authenticated via username, password and hopefully 2FA.Most everyone knows that, as a whole, people suck at setting up strong passwords and changing default passwords. In fact, according to the latest Verizon Data Breach Investigation Report, “80 percent of hacking-related breaches leveraged either stolen passwords and/or weak or guessable passwords.” Furthermore, the report states, “If a username and password is the only barrier to escalating privilege or compromising the next device, you have not done enough to stop these actors.”Under the discussion of breach trends in Verizon’s DBIR, it states:Even if you are not breached, there are armies of botnets with millions (or billions) of credentials attempting to reuse them against other sites. In other words, even though components of authentication weren’t compromised from you, it doesn’t mean they were not compromised. Again, if you are relying on username/email address and password, you are rolling the dice as far as password re-usage from other breaches or malware on your customers’ devices are concerned. Those are two things you shouldn’t have to worry about.Although a basic username/password login is not enough, despite what some of the pitches claim, I can’t imagine this will be the last World Password Day. So, have a care about your passwords as they are the key to open the door to your online life, business secrets or even networks. I encourage you to use a password manager and to set up 2FA on every site that offers it. Don’t forget to change those shared passwords for online streaming sites either!Happy Star Wars Day, as well as World Password Day! Related content news Dow Jones watchlist of high-risk businesses, people found on unsecured database A Dow Jones watchlist of 2.4 million at-risk businesses, politicians, and individuals was left unprotected on public cloud server. By Ms. Smith Feb 28, 2019 4 mins Data Breach Hacking Security news Ransomware attacks hit Florida ISP, Australian cardiology group Ransomware attacks might be on the decline, but that doesn't mean we don't have new victims. A Florida ISP and an Australian cardiology group were hit recently. By Ms. Smith Feb 27, 2019 4 mins Ransomware Security news Bare-metal cloud servers vulnerable to Cloudborne flaw Researchers warn that firmware backdoors planted on bare-metal cloud servers could later be exploited to brick a different customer’s server, to steal their data, or for ransomware attacks. By Ms. Smith Feb 26, 2019 3 mins Cloud Computing Security news Meet the man-in-the-room attack: Hackers can invisibly eavesdrop on Bigscreen VR users Flaws in Bigscreen could allow 'invisible Peeping Tom' hackers to eavesdrop on Bigscreen VR users, to discreetly deliver malware payloads, to completely control victims' computers and even to start a worm infection spreading through VR By Ms. Smith Feb 21, 2019 4 mins Hacking Vulnerabilities Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe