Mobile Passwords--Tricks & Treats
The NCCoE Buzz: Mobile Security Edition is a recurring email on timely topics in mobile device cybersecurity and privacy from the National Cybersecurity Center of Excellence’s (NCCoE’s) Mobile Device Security project team.
With Halloween around the corner, the National Cybersecurity Center of Excellence (NCCoE) wants to share a few “tricks” and tips for mobile passwords that result in the “treat” of protecting your mobile device from compromise.
Below is a list of several potential mobile password threats that can impact you or your organization:
- Lost/Stolen Phone – If an unauthorized user obtains a lost or stolen mobile phone that has no password, they may have easy access to sensitive information on the device (e.g., messages, photos, or email)
- Brute-Force Attack – If a mobile phone has a weak password, a malicious attacker may be able to easily obtain the password and gain access to information on the mobile phone
- Phishing – If a password is captured by texting or emailing to convince a user or subscriber into thinking the attacker is a verifier or reliable party, the attacker can gain access to a user’s account(s) and access sensitive information
To protect against mobile password threats, here are a few tips:
1. Apply multi-factor authentication.
If a password is compromised, requiring a second factor for authentication can help protect against threats such as phishing attacks.
Multi-factor authentication can be any combination of the following:
- Something you know – Password, pin, etc.
- Something you have – Authenticator app, hardware token, etc.
- Something you are – Biometrics (e.g., fingerprint or face recognition)
For example, if an attacker has acquired your password (something you know) through a phishing attack, but your account requires a password + your fingerprint (something you are) to grant access, then the attacker will not be able to access your account because they do not have access to the second factor.
2. Choose a password with a minimum length of 8 characters.
A common misconception is that complexity is the key to having a strong password. NIST SP 800-63B highlights that complexity can actually make it difficult for the user to remember their password and can deter them from developing a strong memorable password.
Instead, 800-63B recommends creating a memorable password that is at least 8 characters in length to help prevent against brute-force attacks, while also ensuring the user can remember their password/pin/passphrase.
We hope these mobile password tricks and treats were helpful.
More information about how to use and apply specific authenticators can be found in NIST Special Publication 800-63B Digital Identity Guidelines: Authentication and Lifecycle Management.