How do you encourage strong password practices? Passwords control access not to just the MLS but to transaction and document management systems containing clients personal and financial information, often via single sign-on (SSO) like the Clareity® dashboard. Continue reading and learn about the current password practices from the National Institute of Standards and Technology (NIST), an agency that develops cybersecurity standards, guidelines, and best practices to meet the needs of federal agencies and the broader public.
NIST guidelines around password complexity:
- Passwords must be at least eight characters long – but longer (i.e., 12-20 characters) is better.
- Passwords must not be a single dictionary word (“constructivism” is a poor password; “codeofethicsunderallistheland” is a strong password)
- Passwords must not be obvious patterns (e.g., 123456789)
- Passwords must be unique
- Passwords should be changed yearly, or when a compromise is discovered
- “No other complexity requirements for memorized secrets should be imposed” (requiring uppercase and lowercase letters, numbers, and punctuation)
- Use of a password manager is recommended by NIST: however, caution should be used when choosing a trustworthy password manager, as such programs have become a target for the hacking community, and not all password managers have a good security track record.
Though complexity improves protection against some types of password hacking, according to NIST, it may result in passwords that are hard to memorize or stored insecurely. If your organization has a complexity requirement, re-evaluate it.
Do not use a compromised password! When a password is changed, CoreLogic® Clareity checks the new password to see if it has already shown up on the dark web. If a password is known to be compromised at the time of change, Clareity will not allow its usage.
Stronger authentication is better! All of that said, a strong password is only the beginning. You need to ensure your password is protected by using a secure password vault. Never share your password with anyone or give it up in a social engineering attack (phishing, smishing and vishing). NIST recommends additional security, such as multi-factor authentication (MFA). CoreLogic’s Clareity product offers an option for MFA on top of its existing security solution. It is important that real estate professionals use MFA wherever it is offered – as well as practice the password guidance described in this article.
This advice is based on the “Digital Identity Guidelines” published by the National Institute of Standards and Technology.
About the Author:
Matt Cohen is Principal, Advisory Services at CoreLogic. Matt has been providing technology and management consulting as well as information security audits and presentations for the real estate industry for over 25 years. Matt has spoken at many industry events, has been published as an author in Stefan Swanepoel’s “Trends” report and in a variety of real estate association magazines, and he has been honored by Inman News by being listed as one of the 100 Most Influential Real Estate Leaders in 2013.
Clareity by Corelogic is an identity provider to Real Estate multiple listing services and associations.
Return to our Cybersecurity Awareness Month site.