Password complexity changes as recommended by NIST

What does your password say about you? If it says “password” or is simply a string of letters, numbers and symbols, then you might want to consider changing it. Passwords are important for personal security, but not all of them are of equal quality. It turns out that what makes for a good password is a complex question of probability and human factors. This question was put to a mid-level manager, Bill Burr, at the National Institute of Standards and Technology (NIST) back in 2003.1 The password advice from NIST became influential not just within the federal government but on corporate networks, websites and mobile devices as well.

NIST SP 800-63B Special Publication – 2003

The initial recommendation included these simple rules:

  • lowercase letters
  • uppercase letters
  • numbers
  • special characters (@, !, $, etc.)
  • changed regularly



That last rule became an issue for IT departments and led to weaker passwords as people would make minor modifications that were easy to guess. Which is more secure?  “password123” or “P@ssW0rd123!”? The latter follows the NIST rules above but is actually not an improvement.  The requirement to change passwords regularly lead people to add memorable characters like 1, 2, 3 as iterations which were predictable and not more secure. This requirement and others often led to passwords being scribbled on Post-It notes adhered to the computer screen as they were beyond the recollection capabilities of most users.  Humans naturally began substituting numbers for similarly shaped letters or vowels (as in our password transformation example above). They also used easily remembered numbers like birthdays and words like, “friends” or a sequence of numbers like, “12345”—the famed password of planet Druidia’s defense shield in Space Balls the Movie. 2

NIST SP 800-63B Special Publication – 2017

This NIST SP offers stronger password requirements than the NIST Password Guidance published in 2003. NIST’s Special Publication 800-63B provides federal agencies with more stringent password requirements for authentication of federal systems and identities. NIST SP 800-63B includes technical changes and clarifications to NIST SP 800-63A. NIST Special Publication 800-63B3 requires the use of at least three character types from at least two of the following four categories:

  • lowercase letters
  • uppercase letters
  • numbers
  • special characters (@, !, $, etc.)

In addition, NIST Special Publication 800-63B mandates a minimum length of eight characters. The number of special characters required has also been increased from one to two.   These updates are important because they make it more difficult for hackers to guess passwords. NIST’s Special Publication 800-63B also requires that passwords be at least 8 characters in length. Increasing the number of special characters required and mandating a minimum length make it more difficult for hackers to crack passwords through brute force attacks.

Link for The Wall Street Journal Here

“In a widely circulated piece, cartoonist Randall Munroe calculated it would take 550 years to crack the password “correct horse battery staple,” all written as one word. The password Tr0ub4dor&3—a typical example of a password using Mr. Burr’s old rules—could be cracked in three days, according to Mr. Munroe’s calculations, which have been verified by computer-science specialists.”

Robert McMillan – The Wall Street Journal

NIST’s goal with these updates is to improve the security of federal systems while also making it easier for users to remember their passwords. NIST’s updated requirements make it possible for users to create longer and more complex passwords that are still easy to remember. This update reflects the evolution of technology and accounts for the impact that new types of information, such as biometrics or tokens, can have on authentication processes. Passwords are essential for protecting your online identity.

NIST SP 800-63B-3 Special Publication – 2020

NIST Special Publication 800-63B- update was publish in March 2020 with new information on identity proofing and authentication. This revised publication provides guidance to organizations on how to strengthen the security of digital identities. It is important for IT managers to understand the changes in this publication so they can ensure their organization’s digital identities are secure. The new guidelines are informed by better data on password breaches and contain some interesting updates.

The new NIST guidelines that you include these elements in your new password policy:

Password Authentication

  • Enable “Show Password While Typing”
  • Allow Password “Paste-In”
  • Use Breached Password Protection
  • Don’t Use “Password Hints”
  • Limit Password Attempts
  • Use Multi-Factor Authentication (MFA)
    • SMS may not meet OOB​ (out-of-band authenticators) requirements

Password Creation

  • Greater Length over Complexity
  • No more periodic resets

Password Storage 

  • Secure Databases
  • Hash Users’ Passwords

These core guidelines are worth looking at in more detail.


Password Creation

While password complexity is important, it is also crucial to have a password that is long enough to be secure. NIST SP 800-63B-3 recommends at least 8 characters for  passwords. Increasing the length of your password increases the complexity and makes it more difficult for hackers to guess. While passwords that are at least 8 characters long can be found by hackers, they are not as commonly used.  It is important to note that the creation of separate, unique passwords for each application does not eliminate the need for strong passwords—it simply makes them easier to manage. Although attackers do not have access to all applications at once, an individual account can provide them with direct access to sensitive information such as credit card numbers and social security numbers by its reuse across multiple applications.  Randomly generated passwords can be used as a starting point for creating your own personalized, long and complex password. The length will ensure that it is not easily guessed, but the randomness means that it cannot be recalled by a human being either. There are several different implementations of random password generators, some simple and some complex, but all of which provide benefits over the use of standard passwords.  The end of mandatory resets was one of the top 3 issues when a draft came out in 2012 (the other two were similar problems with multi-factor authentication). To cope with the fact that passwords are inherently breakable, users were forced to carry out periodic resets (most people do it every 90 days), generating new passwords and distributing them to all systems requiring authentication. This has many failings:

  1. Password reset mechanisms are inherently insecure; everyone knows how easy they are to bypass, even when there is no reason to be suspicious of the user.
  2. Password reset mechanisms inflict excess load on IT support staff, who must distribute and then destroy these password reset tokens.
  3. Password reset mechanisms do not help with security at all; they just shift the burden onto users.

Password Authentication

Typos are a common occurrence in the world of passwords. There is no better way to decrease your error rates than having users see what they did wrong when trying to log-in except by showing them exactly where their typing went wrong with the “show password” option enabled. The paste-in function of the password manager will require people to create longer passwords, but in turn it makes them more compliant and safe. Many are using a tool like LastPass which automatically generates complex passwords for every site they visit. Users only have to remember the tool’s master password and then they have access to all of their passwords.  New passwords should be checked against a “blacklist” of compromised passwords. This helps keep your account secure by not allowing anyone who might have the original data (i.e., hackers) access to steal things like usernames and personal details with their corresponding user names/passwords. This is called Breached Password Protection (BPP).  The password complexity requirements lead to more help with remembering the password in the form of password hints. Password hints are a way to use clues about the password as prompts for users so they can remember it. The new NIST SP 800-63B-3 Special Publication requires that any hint given be disabled, and notes that including a “hint” is a practice that should not be employed anymore.  One of the main concerns for the guidelines is the number of times a password can be attempted before they are locked out. The new NIST SP 800-63B-3 Special Publication recommends a limit of three attempts. After three failed attempts, the user would then be required to wait for a period of time before attempting again. This measure is meant to protect accounts from being hacked or compromised.  Multi-factor authentication is an extra layer of security that is used in addition to passwords. It requires the use of more than one type of authentication credential. The basic concepts include these multiple factors working together:

  • “something you know” (like a password)
  • “something you have” (like a phone)
  • “something you are” (like a fingerprint)

SMS-based multi-factor authentication has been a convenient way to provide this extra layer of security. However, there have been concerns about its security. One of the main concerns about SMS-based multi-factor authentication is that the text messages can be intercepted. This means that someone who is not authorized to access the account could potentially receive the text message with the verification code and be able to log into the account.

Password Storage

To protect your users’ passwords, it is important that only essential personnel have access to the database. In addition, after a user’s password is changed by an administrator or automated system, access to the hash of the user’s old password should be removed from all system components. If the user’s password was updated because of a security compromise (e.g. a data breach), this best practice becomes even more important. Follow NIST guidelines for admin passwords also.

Passwords should be hashed with interim storage. In this case, a hash function is used on a password and stored in an encoded form. A Salt is used to make it more difficult for an attacker gain access to hashes through a brute-force attack. A salt is a fixed-length string of characters that is usually stored separately from the encrypted password. The string is appended to the password before being hashed and then combined with the resulting hash. Salts are created from random data, which reduces the risk of big data breaches if one occurs.

Bad Passwords a-Dressed


I’ve had people look at it and they’re like, ‘Oh, I’d better go change my passwords,’

Ms. Cranor

It turns out after lots of data analysis, we think we are being clever about how we construct our passwords designed to foil hackers but the results of the data show we are not. In 2003, Mr. Burr didn’t have the data to understand this. Today it is obvious to people like Lorrie Faith Cranor who has spent years studying terrible concoctions and putting 500 of the most common passwords on a blue shift dress.[7] The garment had been infused with the most common passcodes–“princess,” “monkey,” “iloveyou” etc.—a few that are unprintable here. At the 2015 during Stanford’s White House cybersecurity summit the dress prompted careful study from those around her as well as some embarrassment.[8]

Conclusion

NIST SP 800-63B-3, provides guidance for managing digital identity in a world that is increasingly reliant on technology to work and communicate with others. There are many changes from previous editions yet many similarities as well. These standards should be followed by all organizations who store sensitive personal data or provide online services where people can create an account and log into their accounts using passwords. If you’re not sure how best to comply with these guidelines or need help understanding what they mean for your organization’s authentication process, contact 1st Basis today.

SECURITYBRIDGE BROADENS U.S. REACH WITH NEW 1st BASIS GROUP PARTNERSHIP

Press Release

Ingolstadt, Germany, February 22, 2022 – SAP security provider SecurityBridge—now operating in the U.S.,—today announced a partnership with Wisconsin-based 1st Basis SAP Services Group, (1st Basis). The partnership enables 1st Basis to provide SecurityBridge’s integrated SAP Security platform and services—the most advanced cybersecurity to SAP managed services, and S4HANA migration projects—to their customer base.  

“It’s no secret that SAP often holds an organization’s crown jewels and needs to be given the utmost protection. However, according to the latest research 43% of data breaches are at the application layer and we are finding that this is the greatest area of weakness,” said Doug Pastrich, CEO of 1st Basis.

SecurityBridge provides the most advanced cyber-platform with real-time threat detection, vulnerability management, custom code scanning, and patch-management in a seamless one-stop-shop solution, built on a single technology layer. With real-time dashboards based on SAP Fiori, SecurityBridge provides actionable intelligence that can be relied upon to make critical security decisions.

“SecurityBridge provides the most comprehensive functionality and seamlessly integrates within the SAP technology stack. Its agile and holistic approach enables us to provide transformation and managed services very quickly and smoothly. 1st Basis will be building on our solid reputation of providing our clients with the utmost quality of managed services as security is becoming more urgent. With this partnership, we will provide significant speed to security in our ability to reduce the attack surface for our customers by utilizing the power of SecurityBridge,” added Pastrich.

“Threats against SAP systems are becoming more prevalent and more sophisticated. The most effective, proven approach is to combine constant real-time threat monitoring and vulnerability management into a holistic security process’’, said Christoph Nagy, CEO of SecurityBridge.

“The partnership with 1st Basis will be highly synergistic for both parties, as we see the increasing migration towards managed services for SAP clients. We value the expertise and excellent reputation that 1st Basis provides, and we look forward to an exciting year ahead.”

About Security Bridge

SecurityBridge is an SAP Security Platform provider, developing tools to extend the SAP ecosystem. The company takes a radically different approach to traditional security tools, believing SAP applications and custom code will be infiltrated no matter how diligently security hygiene is applied. In response to this belief, SecurityBridge created the world’s only natively integrated real-time solution for constant monitoring. Powered by anomaly detection, the SecurityBridge platform can differentiate between accurate results and false positives so that security teams can better focus on real issues. For more information, please visit securitybridge.com.

About 1st Basis

1st Basis Logo

Founded in 2006, 1st Basis provides affordable, high-quality SAP Basis managed services at SAP Best Practices standards. For over a decade, we have kept that promise. We leverage our unmatched expertise to keep our customers’ SAP systems secure, stable and highly available. For more information, please visit www.1stbasis.com.

Background

This is a companion piece to our other post on TikTok and potential security concerns with SAP. The geopolitical background issues are the same. China has a history of corporate and other espionage and a history of inserting its interests into the affairs of corporate entities, even technically private ones, at home. It is also the world’s most developed surveillance state, and recently, it and the United States have been increasingly at odds on a variety of issues.

Unlike TikTok, Zoom is not headquartered in China. Its owner, Eric Yuan is originally from China, but moved to the United States in 1997.

The Rise of Zoom

As most people now know, Zoom has been one of the greatest beneficiaries of CoVid lockdowns, seeing an almost twentyfold rise in usage over the past year. People isolating to slow the spread of ‘the virus’ have flocked to the platform for social and work purposes. The subsequent discovery by many workers (and some businesses) that much of what they do doesn’t depend on their being on-site has contributed to its continued expansion. Lots of educational institutions and social services and primary medical services have adapted to employ video as well.

The ease with which Zoom can be accessed and its full but intuitive feature set have spurred its widespread adoption, but that same broad suite of functionalities and ease of access have made it a broad target for hackers and other online bad actors.

The Problematic History

There have been a series of security issues with Zoom that are, perhaps, not surprising given the nature of the platform. Early on, many people using the platform were declining to use the password option, which gave an opening to bombers and grifters to bust in to meetings and wreak havoc. In one infamous example, a major university’s graduation, held online because of CoVid, was interrupted with racial invectives. The platform has been used for information scraping, malware injection, password stealing, and just about anything else a hacker might want to do. At one point, Zoom partnered with a Chinese firm to generate cryptographic keys, which threw up warning signs among politicians and security experts. Additionally, Zoom agreed to de-platform several well-known Chinese dissidents at the request of the Chinese Communist Party (CCP).

The list of exploits and possible vulnerabilities is very long, and you can read about them in depth in this excellent compilation at Tom’s Guide. The most problematic thing about Zoom, though, has been its lack of candor at times, for instance claiming to have inaugurated end-to-end encryption when it hadn’t done so. In response to various criticisms, Zoom has taken steps to mitigate its vulnerabilities, but very few of these steps seem, from an outside perspective, to have been taken proactively. A variety of alternatives to Zoom are available. If you share sensitive information on such a platform, you might be better off to look elsewhere until Zoom has established a more robust security track record, and this is probably more likely to be true of businesses that employ SAP services than those that do not. Zoom’s vulnerabilities make it not just problematic in view of the Chinese, but also corporate espionage, sabotage, and sundry black-hat exploits. As with TikTok, your vulnerability profile will depend entirely on the potential value of the information that you share to those who shouldn’t have it.

Geo-Political Background

Recently, the Trump administration has kicked around the possibility of banning the use of TikTok in the United States. This comes against a backdrop of increasing tensions between the United States and China due to China’s emergence as a military and economic rival superpower, and exacerbated by what some in the West view as China’s military and economic expansionism against a backdrop of long-time institutional infiltration, technological and other espionage, and unfair trade practices. Recently, relations have been further strained by internal Chinese crackdowns on civil dissent, reneging on the conditions of its treaty with Great Britain regarding the status of Hong Kong, and what some (though not all) view as blame for not having blown the whistle earlier about CoVid-19, which has had devastating health, social, and economic consequences around the globe.

India, which has recently clashed with China above the disputed Galwan Valley between China and Indian-administered Kashmir, has banned the popular short-form video plus sound application. There have been rumors, though denied, that Australia and the Philippines might also follow suit. Both of those nations have been alarmed by Chinese expansionism in the South China Sea.

Does TikTok Pose a Danger?

Does the application pose a danger? It’s hard to say. Like most such applications, new versions often are filled with security issues that need to be patched, and TikTok does a comparatively decent job of doing so. The company that owns TiKTok, ByteDance, is headquartered in China, but not ‘owned’ by the government per se. ByteDance swears up and down that it would never convey any user information to the Chinese government, but the rights and responsibilities of ‘private’ corporations in China vis-a-vis the government are more . . . negotiable, let us say, there than they are in the West.

At present, there’s no reason to believe that TikTok collects any more information than other ‘free’ social media applications, such as Facebook and Twitter, which monetize metadata from their users to target ads and such, but following revelations of what Cambridge Analytica was able to infer from access to Facebook’s information during the 2016 election, there is some concern about how China might use such information for similar purposes (or worse) such as: wargaming, propaganda/disinformation and election meddling. We have already seen that they take a very aggressive line against their own citizens at home and abroad who use online platforms to criticize the government, and like the Russians they seem to be cultivating their own troll farms.

With Regard to SAP Users . . .

The problem here is that many SAP users are companies whose information is not only valuable to themselves, but potentially also to others. One of the things that TikTok was criticized for was maintaining access to clipboard information. They were criticized, when found not to have fixed the problem. They excused the delay by saying that there was a conflict with the spam filter. Theoretically, a government with access to such information might leverage it either through simple data mining or blackmail. A surveillance state such as China might exploit or introduce backdoor methods of accessing data on devices with the TikTok application, as they are said to have done with Huawei, their 5G cellphone network.

So there is no clear-cut answer on whether to prevent employees from using TikTok on devices that also might be used for work purposes. As a precaution, and partly because of the conflict, India has banned certain Chinese apps (including TikTok). The State Department would like Microsoft or some other US-based company to buy it. They have given a deadline before it is banned. For the moment, we advise caution.

The coronavirus pandemic has dramatically changed the lives of almost every American. With stay-at-home orders in place, and nonessential businesses closed, the internet has become the place where we work, shop, learn, worship, bank, communicate, and socialize. The demands of the COVID-19 crisis also translate into greater mechanization in laboratory testing, hospital settings, logistics and delivery. The need to secure databases and provide completely secure servers means that businesses will be investing in Enterprise Resource Planning and enhancing the landscapes already in use. Technology is already playing a huge role in keeping our society going; its importance will continue to grow when the pandemic is over.

 

Information Technology Services

Remote working has quickly become the norm around the country; now that we know it works, it may become more common even after the COVID-19 outbreak subsides. The demand for cloud infrastructure services, and specialized software will continue to grow as well. The hardware that supports it needs to be in place and the telecom systems must meet the demand. Businesses either need to develop their own top-flight in-house IT team, or they need to work with organizations that specialize in ERPs and SAP systems.  Most organizations do not have a dedicated IT department in place for a reliable business-continuity plan (BCP). Those that do have IT departments will need to supplement them with help from IT service providers in procuring devices, setting up a resilient, flexible and secure network, disaster recovery systems, and IT security.

 

Data Protection

In the current environment, more health providers are offering tele-health services. That, combined with the extraordinary numbers of people ordering online, as well as those registering for jobless claims, means that the need for data protection has never been greater. The recently published ABI Research report “taking Stock of COVID-19 ” notes the vast quantity of personal data available, and the danger that it could end up “in the hands of a few entities with no visibility, no legislative barriers, no surveillance limitations, and no biometric revocation options for the foreseeable future.” Governments and biometrics vendors are responsible for creating person-centered solutions and utilizing the proper security measures to prevent this.

 

Biometrics

One concern that has arisen with this pandemic lies in the area of biometrics. In general, biometric AI and ML algorithms are working well to protect networks and data. However, many governments have invested tremendously in biometrics in everything from passports to security clearances. Almost all rely, at least in part, on fingerprint recognition; that kind of physical contact poses an obvious health risk. There needs to be a shift away from contact-only applications and the likelihood is that facial and iris recognition will become the norm. This will create a myriad of additional problems “because a great deal of law enforcement, Automated Fingerprint Identification Systems (AFIS)/Biometric Identification Systems (BIS), border control, visa and immigrations applications are also based on fingerprint identification” (ABI Research).

 

Supply Chains

One thing that this pandemic has demonstrated with painful consequences is our over dependence on foreign supply chains. With most of the manufacturing of hardware for technology concentrated in Asia (for instance with 5G phones) the results of the months-long lockdown there will be a delay in the launch of new smartphones and other upgraded devices. Supply chain constraints apply to the raw materials as well. At the same time, hardware companies may see major demand coming from businesses that are placing large orders for laptops and mobile devices to support employees now working from home. In order to create resilience in the supply chain, significant changes need to take place. Sourcing must become both more local and more diffuse. Instead of a couple of suppliers in China producing the majority of semiconductors, for instance, we should have a number of manufacturing plants throughout the U.S. producing them.

 

Now that the world has discovered that it is indeed possible to work remotely, and truly take advantage of the technology available, there’s no way to stuff that genie back into the bottle. In order to make sure that your business is ready for the world, post-pandemic, contact the experts at 1st Basis to remotely supplement your Basis resources during these trying times.

SAP systems provide the highest quality integrated management system keeping your databases, financials, inventory, logistics, and other resources working smoothly and securely together. In order to optimize your use of the SAP systems, it’s wise to have your people expanding and refining their education in SAP offerings. With most of the country in lockdown and working from home, this is an ideal time for professional development. And SAP is assisting in this endeavor by making it easier than ever to access online learning.

 

The following content was originally sourced from an external website (SAP SE Newsroom) and is the copyright of the external website owner.

WALLDORF – 22/03/2020: SAP SE (NYSE: SAP) today announced a new digital learning initiative offering innovative, interactive educational content to support students, professionals and anyone wishing to continue to learn during this challenging time.

“The effects of the COVID-19 pandemic are impacting everyone around the world,” said Christian Klein, co-CEO and member of the Executive Board of SAP SE. “We want to make sure education does not take a back seat during this time. Students and subject-matter experts need access to safe and healthy learning environments to continue their education virtually. SAP is expanding its commitment to support the next generation of professionals and users by broadening access to some of our best digital learning offerings to facilitate the continuity of innovation and enablement.”

This dynamic initiative is based on three educational pillars – massive open online courses (MOOCs), learning journeys for universities and the SAP Young Thinkers program – as part of SAP’s comprehensive learning and enablement program. SAP will respond and adjust to participant feedback and requirements to improve and adapt the courses continuously.

 

openSAP Is Open to Everybody.

The award-winning openSAP platform provides MOOCs to anyone interested in learning about leading technologies, the latest innovations and the digital economy. Course topics include automated robotic process automation, data science, machine learning, ethical artificial intelligence (AI), the Internet of Things (IoT), sustainability, Java programming and more.

Offered free of charge on the openSAP platform, these enterprise MOOCs use proven classroom learning concepts, including gamification and discussion forums with peers and experts, all delivered in an online format. Courses can be accessed without restriction, anytime, anywhere and from any device. Podcasts and micro-learning formats provide users with self-contained, bite-sized content that is easy to consume.

To register, you must be older than 16 years of age, but the courses themselves are suitable for learners of any age. To find out more, please visit https://open.sap.com.

 

Free Learning Offering for University Students With System Access and Global Certification from SAP.

SAP provides 90-day access to four selected learning journeys for students interested in preparing digitally for a career in the SAP ecosystem and studying at one of the over 3,800 member universities in the SAP University Alliances program. Areas of study include scope and business processes specific to SAP S/4HANA, the SAP S/4HANA Cloud Finance solution, the SAP SuccessFactors Employee Central solution and modeling in SAP HANA.

The offering is specifically designed for students and is available for free. It includes various learning formats in multiple languages as well as free access to training systems for hands-on practice. These tools help students prepare for an exam to achieve SAP global certification from SAP on specific subjects. One exam attempt is included free. The package can be accessed here .

 

SAP Young Thinkers Program Available to Everyone.

To support students and teachers facing school closures and other disruptions, the learning courses in the SAP Young Thinkers program are available on one central, open-access website.

SAP Young Thinkers provides a foundation for digital literacy, inspiring the next generation to pursue careers in STEAM (Science, Technology, Engineering, Arts and Math) fields. Students and IT beginners can explore creative methodologies and technologies to help shape a better world.

For more information about the program or to register for the introductory course “Get Coding with SAP” please visit www.sap.com/young-thinkers. The SAP Young Thinkers program embraces a global network of engaged SAP employees and motivated partners. It offers learning opportunities for digitalization with a focus on computer science, economics and creative solution and learning methodologies targeting the 17 Sustainable Development Goals (SDGs) set in 2015 by the United Nations General Assembly.

How SAP and IT organizations are helping the 3.5 billion people without internet access.

For many of us, living without constant access to the internet is unimaginable. We use computers—in one form or another—constantly. But what about those who have minimal, if any, access to the internet? Those who have never even touched a computer? Nearly half of the world’s population—3.5 billion people—did not have regular access to the internet this year.

Welcome to the Digital Divide.

Developing countries face major challenges incorporating technology into their infrastructure (cost, political unrest and the inability to service remote areas; to name a few). As of this writing, every area that could easily be connected to the internet is connected, yet in more than 100 countries around the world, less than 50% of their inhabitants have regular access to the internet. Even when they are connected, they experience significantly slower speeds as well as lack of content relevant to their culture or even in their language since few of them can contribute to online media.

Bridging the Digital Divide on the global scale will be a game changer for many countries—connecting developing nations has shown a significant increase in their GDP. On the local scale, however, the divide is more troublesome for many individuals. In areas with less than half of the population online, many families and employers are accustomed to this way of living because so few of them have access. It is very different in countries where internet access is as essential as running water or electricity. You are expected, often required, to be online.

Think about everything the internet offers us—job opportunities, connections to friends and family, necessary communications for work or personal responsibilities, researching products, education, and so many other advantages . Now imagine not being able to access any of that while everyone else continues around you, expecting you to keep up or get left behind. This is the reality for 7 million Americans.

This divide is primarily caused by socioeconomic factors. Students whose families do not have reliable internet access, or a computer, face a much harder time completing their homeworkand are far less likely to do well in school. Individuals who cannot regularly use a computer are less likely to develop their computer skills to the level required by most employers. It is a vicious cycle making it increasingly difficult to escape poverty.

Several companies are stepping up their corporate citizenship efforts to help bridge the divide through free WiFi hotspots, affordable satellite connection initiatives in rural areas, and digital literacy training. Facebook, for instance, is fighting the global divide with their “Free Basics” program which provides free internet in 22 nations. However, it only offers access to about 20 websites— Facebook, of course, being one of them. SAP is also helping by providing CodeWeekprograms around the globe—offering accelerated courses tailored specifically to the technological needs and ability levels of CodeWeek locations, aiming to create economic stability through education.

But how can you get the most out of these skills and connections if you don’t have a computer? One local nonprofit set out to fill this gap by getting affordable, quality computers into the hands of those that need them the most.

Meet Digital Bridge.

Jeff Hanson, executive director of Digital Bridge, realized the extent of the digital divide on a volunteer trip to Kenya as a student at Milwaukee School of Engineering (MSOE). While setting up a lab for a local school, it became clear to him that many of the students had never even touched a computer.

Once back in Milwaukee, Hanson heard from many nonprofit organizations desperately searching for affordable computers to connect patrons with resources available through online searches such as jobs, affordable housing, medical care, or education opportunities. Even if they could obtain a used computer, the computers were typically outdated and slow. Digital Bridge began to bridge this divide between those with access to technology and those without by creating an easy way for anyone to donate computer equipment to be refurbished and directed to those in need.

“In Milwaukee, or other major cities, you’re expected to be using technology. If you don’t have a computer or you’re not sure how to use it, it is really going to be hard to function in our society [where] Technology is a necessity, not a privilege… Our biggest goal is that people or businesses should be able to donate a piece of technology as easily as they would donate a shirt, knowing that it can and will be reused.”—Jeff Hanson, Executive Director

As a member of the National Association of Information Destruction (NAID) they follow the highest standards of data security to ensure the protection of their donors’ information. All equipment is under constant supervision by access employees until it arrives in their secure location. Before any equipment leaves this area, all drives and asset tags are removed, and the entire drive is written over with new data. Any drive that fails the wipe or is not in perfect health is destroyed to ensure security. Digital Bridge makes it easy for you to make a difference with the peace of mind that your data will be securely wiped.

Computers are cleaned, tested, repaired and returned to out-of-box mode with a fresh OS.  Eligible nonprofits and individuals are able to choose from several options in their online store, allowing them a similar experience to traditional consumers.

This year alone, Digital Bridge has distributed more than600 computers and redirected 70,000 pounds of e-waste, creating a true bridge to those in need.

They have already helped many people but there is always more to be done. Poverty can be further diminished through access to technology. Think about everything that technology offers us—education, employment, searching for resources, connecting to family and friends… How powerful that can be! If you can reach it.