IRS: Old Password Guidance is Passé
Anyone who maintains any type of online accounts should use strong passwords to protect against savvy cyber criminals taking over their identities and accessing sensitive tax and financial data.
But there’s been some new thinking as to what a strong password is. The latest guidance suggests using a passphrase such as a favorite line from a movie or a series of associated words rather than using a password. The idea is to create a passphrase that can be remembered easily and protect the account. This means passwords like – “uE*s3P%8V)” – are out. Longer, personal phrases people can remember – for example, SunWalkRainDrive – are now preferred.
The IRS, like all federal agencies, follows the cybersecurity framework set by the National Institute of Standards and Technology or NIST, which is a branch of the Department of Commerce. NIST last year rethought its guidance on passwords.
NIST suggested these three steps to build a better password:
Step 1 – Leverage your powers of association. Identify associated items that have meaning to you.
Step 2 – Make the associations unique to you. Passphrases should be words that can go together in your head, but no one else would ever suspect. Good example: Items in your living room such as BlueCouchFlowerBamboo. Bad example: Names of your children.
Step 3 – Picture this. Create a passphrase that you can picture in your head. In our example, picture items in your living room. The key is to create a passphrase that is hard for a cybercriminal to guess but easy for you to remember.
In addition to creating strong passwords, the IRS urges taxpayers to take these additional steps:
Use a different password or passphrase for each account; use a password manager if necessary for multiple accounts.
Use multi-factor authentication whenever possible. Don’t rely on the passphrase alone to protect sensitive data. Multi-factor authentication means returning account holders need more than just their credentials (username and password) to access an account. They also need, for example, a security code sent as text to a mobile phone. Email providers and social media outlets, such as Facebook, offer multi-factor authentication options
Change all factory-set passwords for wireless devices such as printers and routers. Again, use strong passphrases to protect access to these devices, which further safeguards sensitive data.
The IRS, state tax agencies and the tax industry are committed to working together to fight against tax-related identity theft and to protect taxpayers. But people need to help by taking steps to protect themselves online.
Taxpayers can visit the “Taxes. Security. Together.” awareness campaign or review IRS Publication 4524, Security Awareness for Taxpayers, for additional steps to protect themselves and their data from identity theft.