Passwords are probably the most important part of keeping business accounts secure. That’s why it is so important to follow industry best practices when creating them. But most employees let information security slack around their passwords, using oversimplified or easy to guess sequences and reusing them across platforms. Today, we’ll take a look at some password best practices and standards outlined by the National Institute of Standards and Technology (NIST). Use these to create the best and most secure passwords.
What Is NIST?
For years, NIST has been the predominant organization in the establishment of password creation standards. They continuously change their advised practices to meet the current cybersecurity demands. They recently updated their guidelines so we thought we would go over what strategies they suggest, to give you an idea of what makes a secure password.
Many corporations are currently using the NIST guidelines and all Federal Agencies are expected to utilize them. Let’s go through their newest password guidelines step by step.
Password Best Practices
#1 – Longer Passwords are Better than More Complicated Ones
For the first in the password best practices, it used to be preached that the more complicated the password, the more secure the account. Today’s guidelines refute that notion. NIST suggests that the longer the password, the harder it is to decrypt. What’s more, they suggest that organizations that require new passwords meet a certain criteria of complexity (letters, symbols, changes of case) may actually make passwords less secure.
The reasoning behind this is two-fold. First, most users, in an attempt to complicate their passwords will either make them too complicated (and forget them) or they will take the cursory step of adding a one or an exclamation point to the end of a password, which doesn’t complicate the password much. Secondly, the more complex a user makes a password, the more apt they are to use the same password for multiple accounts, which of course, is not a great idea. Believe it or not, most employees use the same password up to 14 times across other business accounts!
#2 – Get Rid of the Resets
Many Florida organizations like to have their staff reset their password every month or few months. This strategy is designed to give them the peace of mind that if a password were hacked or compromised, the replacement password would lock unauthorized users out after a defined set of time. What NIST suggests is that it actually works against your authentication security.
The reason for this is that if people have to set passwords up every few weeks or months, they will take less care in creating a password that will work to keep unwanted people out of the business’s network. Moreover, when people do change their passwords, they typically keep a pattern to help them remember them. If a previous password has been compromised, there is a pretty good chance that the next password will be similar, giving the attacker a solid chance of guessing it quickly.
#3 – Don’t Hurt Security by Eliminating Ease of Use
One fallacy many network administrators have is that if they remove ease of use options like showing a password while a user types it or allowing for copy and pasting in the password box that it is more likely that the password will be compromised. In fact, the opposite is true. Giving people options that make it easier for them to properly authenticate works to keep unauthorized users out of an account.
#4 – Stop Using Password Hints
One popular way systems were set up was to allow them to answer questions to get into an account. This very system is a reason why many organizations have been infiltrated. People share more today than ever before and if all a hacker needs to do is know a little personal information about a person to gain access to an account, they can come across that information online.
#5 – Limit Password Attempts
If you lock users out after numerous attempts of entering the wrong credentials, you are doing yourself a service. Most times people will remember a password, and if they don’t they typically have it stored somewhere. Locking users out of an account, at least for a short period of time is a good deterrent from hackers that use substitution codes to try and guess a user’s credentials.
#6 – Use Multi-factor Authentication
At COMPANYNAME, we urge our clients to use multi-factor or two-factor authentication on every account that allows them to. According to NIST, they want users to be able to demonstrate at least two of three authentication measures before a successful login. They are:
- “Something you know” (like a password)
- “Something you have” (like a mobile device)
- “Something you are” (like a face or a fingerprint)
It stands to reason that if you can provide two out of three of those criteria, you should get access to the system or data that is password protected.
Security has to be a priority for your business, and password creation has to be right up there with the skills everyone should have. Does your Kansas City or Tampa business need help to manage your password security? If you would like to talk to one of our IT experts about some password best practices or management and how we can help your business improve its authentication security, give Symmetric IT Group a call today at PHONENUMBER.