The National Institute of Standards and Technology (NIST) has had to adapt to many changes since its inception in 1901. This government organization exists to help ensure compliance and standards surrounding technological use. When it was created, for example, it helped the United States manage electrical power grid use. Today, the NIST has much more sophisticated technology to manage, and the organization recently released an updated policy for password creation.
While the policy is only a requirement for government agencies, corporations and even individual users should pay attention to these changes as they provide safeguards against increasing online threats. So much of our lives is handled online. Banking records, health data, and identifying personal information are all readily available if someone can hack into one of our many interconnected online networks.
Creating a secure password is one of the first lines of defense against cyber attacks, and NIST provides important guidance on what a secure password looks like in today's world.
Why the Changes?
NIST's updated guidelines might come as a surprise to anyone who has been following online security reporting for a while. We have been trained to think that more complex passwords are harder to crack, so we have been told to include at least one capitalized letter, one number, and one symbol. We have also gotten into the habit of requiring people to update their passwords at regular intervals. Both of these measures, however, have been found to cause more problems than they solve.
First of all, people need to be able to remember their passwords. If they cannot remember them, they will end up using the same password across multiple accounts to ease the cognitive burden of trying to keep access to everything. If your bank account, social media profile, email, and favorite recipe site all have the same password, a data breach at one site equates to a data breach across all of your information.
Users get frustrated by complex requirements that make their passwords too hard to remember, and they respond in predictable ways. They will simply add a 1 or a ! to the end of their existing password. When they are required to make a periodic change, they will capitalize a different letter or add a new number. These predictable changes make it easier for people to remember their passwords, but they also make it easier for a hacker to predict the new password as well.
In short, any habit that makes cracking "the code" easier on the user also makes it easier on the hackers we are trying to keep out. So what can we do instead?
The new guidelines share some common characteristics. All of them aim to make using the passwords easier for the user, which in turn allows them to become longer and more complex without jeopardizing security. Here is a summary of the new guidelines.
- Stop Automatically Resetting Passwords- While agencies and companies require mandatory resets as a security measure, the frustration it causes users results in predictable passwords that are easy to change with only tiny additions. This makes them more vulnerable to attack.
- Add "Show Password" Functionality- Users pick short passwords because they are afraid of making typos when they register. Allowing them to see the entire password they typed encourages them to choose longer, more complex options with confidence.
- Allow Users to Paste- Many users are storing their long, complex, and unique passwords in password keepers. Allowing them to paste these into the password box encourages users to create passwords for each account since they will not have to remember each one.
- Create a "Blacklist"- Some passwords are simply too common. Do not allow users to create passwords with easy-to-guess patterns or words derived from their username.
- Stop Using Personal Security Questions- Hackers are onto the trend of asking personal questions to override password protections, and there are many social media "games" that are designed to help attackers get this information. Don't allow users to log in using their grandma's maiden name or their high school mascot.
- Multi-Factor Authenticity is Key- A single password is not safe enough, but multi-factor authentication (like sending a passcode to a user's cell phone or requiring a thumbprint) helps ensure that data breaches remain unlikely.
Thinking about online security, especially if you are responsible for a lot of sensitive data, can be intimidating. If it is time to update your security procedures, you can count on the experts at Total Computer Solutions to provide you with up-to-date, secure assistance. If you would like more information on creating a password policy for your organization, contact Total Computer Solutions at 336.804.8449 or fill out a form here.