We all use passwords every day to help protect our banking records, health data, and personal information. Creating a strong password is our first line of defense against cyber-attacks. The National Institute of Standards and Technology (NIST) has adapted to many changes since its start in 1901. This government association exists to help ensure compliance and standards surrounding technological use. NIST is responsible for updating a policy for password creation. The policy is only a requirement for government agencies, but corporations and individual users should pay attention to the guidelines to protect themselves against increasing online threats.
The old way of creating passwords required a minimum of eight characters, one number, and at least one unique characteristic. With cybercrime projected to more than double this year, the old way of creating passwords is not robust enough to protect us from cybercriminals.
New NIST Recommendations
The National Institute of Standards and Technology has released new guidelines for "safe" passwords. Below are their most important suggestions:
- Use multi-factor authentication (MFA) with a smartphone app or a text sent to a smartphone. Device recognition can reduce the number of times MFA is required. Biometrics can also be used as part of multi-factor authentication. The NIST also recommends that alternative methods are available (so someone does not get locked out if they lose their phone).
- Allow, but not require, all special characters in passwords including spaces. Allowing spaces can encourage the use of passphrases, which are more secure and easy to remember. NIST no longer requires complexity rules that can make passwords impossible to remember.
- Eliminate traditional "security questions." These were a added layer of security before the rise of social media. Such things as your mother's maiden name, first pet, the street you grew up on are all easy for a hacker to find. The NIST is now recommending getting rid of them altogether. (A password plus a security question is not multi-factor authentication).
- Compare passwords (now called memorized secrets) against passwords that show up in previous breaches, dictionary words, repetitive or sequential characters, your username, etc.
- Eliminate mandatory, periodic password changes. Since 2016, the FTC started questioning these practices. When people have to come up with a new password every three months, they tend to make only tiny changes, which can easily be cracked by somebody with the old password. Furthermore, as people managed to make the same changes hackers are more likely to keep targeting systems if they know passwords will be changed frequently. Instead, passwords should be only changed if they are compromised.
- Use approved encryption for login systems and password storage.
- Require training on password and passphrase strength.
- Allow copying and pasting from the password field to encourage the use of password managers.
- Allow at least 64 characters to support and encourage passphrases.
- Limit failed login attempts, including using biometrics. This can help reduce the impact of hackers.
If you need help setting up a more secure system for your networks, or advice on any other aspect of cybersecurity, contact Total Computer Solutions. Or download our ebook "Everything You Need To Know About Network Security."