Mobile Passwords–Tricks & Treats


Mobile Passwords–Tricks
& Treats

The NCCoE Buzz: Mobile Security Edition is a recurring email on
timely topics in mobile device cybersecurity and privacy from the National
Cybersecurity Center of Excellence’s (NCCoE’s) Mobile Device Security project


NCCoE Buzz MDS Halloween Passwords

With Halloween around the corner, the National Cybersecurity
Center of Excellence (NCCoE) wants to share a few “tricks” and tips for mobile
passwords that result in the “treat” of protecting your mobile device from

Potential Threats

Below is a list of several potential mobile password threats that
can impact you or your organization:

  • Lost/Stolen
    – If an unauthorized user
    obtains a lost or stolen mobile phone that has no password, they may have
    easy access to sensitive information on the device (e.g., messages,
    photos, or email)
  • Brute-Force
    – If a mobile phone has a weak
    password, a malicious attacker may be able to easily obtain the password
    and gain access to information on the mobile phone
  • Phishing – If a password is captured by texting or emailing to
    convince a user or subscriber into thinking the attacker is a verifier or
    reliable party, the attacker can gain access to a user’s account(s) and
    access sensitive information

Password Protections

To protect against mobile password threats, here are a few tips:

1. Apply multi-factor authentication.

If a password is compromised, requiring a second factor for
authentication can help protect against threats such as phishing attacks. 

Multi-factor authentication can be any combination of the

  • Something you know – Password, pin, etc.
  • Something you have – Authenticator app, hardware token, etc.
  • Something you are – Biometrics (e.g., fingerprint or face recognition)

For example, if an attacker has acquired your password (something
you know) through a phishing attack, but your account requires a password +
your fingerprint (something you are) to grant access, then the attacker will
not be able to access your account because they do not have access to the
second factor.

2. Choose a password with a minimum length of 8 characters.

A common misconception is that complexity is the key to having a
strong password. NIST SP 800-63B highlights that complexity can actually make
it difficult for the user to remember their password and can deter them from
developing a strong memorable password.

Instead, 800-63B recommends creating a memorable password that is
at least 8 characters in length to help prevent against brute-force attacks,
while also ensuring the user can remember their password/pin/passphrase.

We hope these mobile password tricks and treats were helpful.

Additional Resources

More information about how to use and apply specific
authenticators can be found in NIST Special Publication 800-63B Digital Identity Guidelines: Authentication and Lifecycle Management.

More information on how to protect against other potential mobile
threats can be found in NIST SP 1800-22 Mobile Device Security: Bring Your Own Device.