The lock on your front door isn’t going to keep intruders out unless you make a habit of using it. The same is true for the digital locks on your data and IT systems. Strong passwords continue to provide a solid defense against hackers, but password management guidelines within the NIST Cyber Security Framework have changed.
Because the outcome of traditional password management policies created unforeseen bad habits that compromised security, the updated NIST guidelines have been created to make passwords easier for users to remember, and harder for hackers to crack.
NIST, the National Institute of Standards and Technology, initially created the Cyber Security Framework in 2014 for all US federal agencies to follow in order to protect critical infrastructure. While it is not a law, companies that are part of the government supply chain are now being required to verify their security practices through adoption of the Framework.
Whether or not you’re required to follow the NIST Framework, it’s a good idea to consider adopting these guidelines that will make password management easier for your employees to remember and use, and thus make your data more secure.
NIST Password Guidelines Updated in 2019
The reason why NIST updated password guidelines was because they recognized that the behavior that actually resulted from trying to follow traditional password management practices turned out to be less secure. For example, in order to meet requirements for password complexity, people were doing things like putting their passwords on sticky notes on their computers. Another bad habit that has become commonplace is reusing old passwords.
What’s Changed in the NIST Password Guidelines
Complexity Isn’t as Important
Not making passwords complex doesn’t mean making them easy. The new NIST password best practices don’t require the use of upper case and lower case letters, numbers, and special symbols. They do require that passwords are made up of a mix of characters and that they aren’t dictionary words, or common substitutions for letters that can be easily broken by automated hacking software, such as using $ for S and @ for the letter a.
Length is More Important
NIST guidelines recommend that passwords be a minimum of 8 characters, but they encourage longer passwords. Brute force attacks that try to guess every combination of characters in a password are more successful with shorter passwords than with longer passwords.
Changing Passwords Every 90 Days Optional
Another big change in the NIST password guidelines is removing the requirements to change passwords every 90 days. Now password changes should be initiated when a breach has been suspected but some security experts, including the Accent team, still consider 90-day password changes an important practice for keeping accounts safe from intruders.
Memorable Passphrases Recommended
Passphrases that can be easily remembered are now recognized as being the best way to help your employees keep the doors to your data closed to intruders. Passphrases should be long, but shouldn’t contain personal information or obvious uses of letters and numbers in sequences or words. The best phrases contain uncommon words and can even include words in different languages.
A sentence passphrase is easy to remember but will be difficult for hackers to break if you create a rule to go with it. An example of a rule would be to just use the first two letters of each word, or don’t use the last letter of each word, etc. The use of punctuation will also add some complexity to the passphrase but still be easy to remember.
Example Passphrase
Here’s an example of a strong passphrase: coyDANwhiMASpotSITcol?
This passphrase comes from the nonsense sentence: Coyotes Dance While Mashed Potatoes Sit Cold
Two rules are applied:
1) Use only the first three letters of each word
2) Use all caps for every other word starting with the second word.
Punctuation is added at the end. You could also add a space or two to make the passphrase a little bit longer.
Don’t Rely on Passwords Alone
Combining password best practices with multi-factor authentication is an even better way to keep your data and systems safe from hackers. Multi-factor authentication requires that the user be identified not just with their password, but with another step in the process to determine – or authenticate – that they are who they say they are.
Not Confident With How Your IT Team is Handling Security?
The level of expertise and knowledge that you need to keep your company safe from cyber criminals may very well be beyond the capability of your IT team. Contact us at 800-481-4369 to explore how outsourced security services can help you become confident in how you’re managing cyber risk.
Sign up for our NIST Cyber Security Compliance Webinar to learn more from Corey Kaufman, Director of Client Development at Accent.