Cybersecurity C-TPAT: Passwords and Passphrases Recommendations
On May 15 of 2020, the U.S. Customs and Border Protection (CBP) service, through the Customs Trade Association against Terrorism (CTPAT) program, provided a bulletin on Cybersecurity – Passwords and Access Phrases and its recommendations.
In continues communication with its members, and in order to strengthen the international supply chain and improve border security, the program extends in priority issues and highlights matters of interest for the certification. Recognizing that the best practices implemented in the supply chain and minimum security criteria can be a challenge for the members, the program provides its recommendations for the best practices.
Although passwords have traditionally been the first security barrier, CTPAT program specialists, as well as experts from the public and private sectors, recommend the implementation of passphrases rather than passwords. Here are four reasons why your company should be using passphrases instead of passwords:
- Passphrases are easier to remember than passwords;
- Passwords are relatively easy to guess or crack. Hackers use advanced, cutting-edge technology tools that allow them to crack even the most complicated passwords. Passphrases are much more difficult to crack since password cracking tools malfunction at around 10 characters;
- It is not necessary to appropriately change the constructed phrases, unless the user suspects that the phrase has been compromised; and
- Mayor operating systems, including Windows, Linux and Mac, support the use of phrases, allowing up to 127 extension characteristics.
However, for those members who choose to maintain the use of passwords, the following composition methods are recommended to help make the passwords stronger and keep them secure. It is highlighted that the National Institute of Standards and Technologies (NIST) mentions that it is not necessary to make regular changes to passwords as long as the following recommendations are followed:
• Do not use passwords based on personal information or that can be easily accessed or guessed.
o For example: Using birthday dates, pet names, or favorite movies and books that can be found by quick search on social networking sites.
• Users should be prohibited from using their names or company name to construct a password.
• Passwords cannot contain dictionary words, this referring to conventional words, but to created words.
• Verify new and existing passwords with a continually updated database of password blacklists.
• Passwords that are around 8 characters long are still very easy to crack or guess.
• When the user enters a new password, that password should be verified by an atomized IT system. These verifications from the IT department should be performed when passwords are created, and should be verified continuously, preferably daily.
• There must be a documented process, in case a password is compromise. Different passwords must be used for different accounts.
• Users should not choose passwords that are the same or similar to the last four passwords.
It is generally recommended that users should never do the following with their passwords or security passphrases:
• They should never share their passwords or passphrases with anyone.
- Passwords should not be written on post-it notes and stick them on monitors or other surfaces that are on the computer’s perimeters.
- If users cannot remember their passwords, they can write hints to help them remember them, but they must be stored securely, for example, in a locked drawer.
- An encryption password manager can be used to generate passwords or passphrases.
In addition to keeping passwords/phrases secure, computing devices should never be left unprotected or assets unattended.
Passwords and passphrases are certainly essential for security, but they are of no value if the users do not learn how to protect and use them wisely. Users must be properly trained and educated on how to generate strong passwords/passphrases, and keeping these secure, as well as cybersecurity training.
Cybersecurity is a shared responsibility, and it is ultimately about people, more than technology. It only takes one infected computer to potentially compromise them all. The most impressive and sophisticated technology is of no value if it is not operated and maintained by informed users.