What are NIST password guidelines?
In the age of digital transformation where all technologies are perfectly connected and integrated to the Web, passwords are the first security layer to protect users from intrusions into personal accounts and corporate systems. However, people still don’t realize how important are these combinations of numbers and letters in cyber security and what could be the risks and dangers related to a shallow behavior.
Since 2014, the National Institute of Standards and Technology (NIST), a US federal agency, has published guidelines for the use of digital identities providing a safe behavior model for managing passwords and, thus, reducing cyber risks. Following NIST guidelines is an important action to take now, because attempts to compromise personal or corporate accounts by cracking passwords are increasing every year.
According to Cybernews, over more than 15 billion passwords the 10 most used ones still include the classic and easy-to-crack combination of “123456” and the like.
This happens because many people still create very simple and predictable combinations that are easy to remember, but this method is not secure and does not make a password unique; it is quite the opposite. In fact, nowadays, hackers know and use special softwares able to try all the most common and simple combinations of words and numbers, making it easy to violate an account in a short time by using other specific personal information such as the user’s name or date of birth. These cyber security assaults are called brute force or dictionary attacks. Data breach incidents can have severe consequences, like compromising security and damaging a company’s reputation and financial stability. Hence, passwords clearly represent the first and essential line of defense against cyber threats and still play a leading role in cybersecurity; complying to NIST password guidelines is key to strengthen the security infrastructure and protect sensitive data and information in the wild world of Internet.
How to best manage your passwords according to NIST
One of the most important elements of corporate IT security is a clear and correct password management. To help organizations reduce the risks associated with poor management, NIST provides a series of guidelines in its Cybersecurity Framework:
- Use of all characters: the combination of any type of characters, so special and alphanumeric characters together, is usually considered the best solution for password security by creating unique passwords hard to decode; simple combinations of characters are certainly easier to memorize, but this choice increases the likelihood of creating insecure and easy-to-crack passwords;
- Enter more characters: usually users are able to enter a maximum number of at least 64 characters in the websites registration form, although the minimum number required corresponds to only 8 characters; make sure to create passwords as long as possible for an improved effectiveness in terms of protection, but also easy to remember for you and hard to guess for potential cyber criminals;
- Copy and paste passwords: the operation of copying and pasting passwords instead of typing them manually every time, although many experts were usually skeptic on this method, it simplifies the use of password managers instead; in fact, nowadays many apps and programs store credentials securely and encrypted in a kind of virtual safe (called Vault), making it available to users when needed;
- Do not change passwords too often: experts highlighted that periodic password changes lead users to adopt rather predictable behaviors, since these changes are very often nothing more than little modifications to the existent password that don’t satisfy security levels, like just entering extra characters or even reduce the length;
- Use of uncommon passwords: NIST’s new approach involves constantly updating the so-called blacklist, which is basically a list of words that are not allowed anymore as user passwords due to their common use.
How can companies comply to NIST password guidelines?
To comply with NIST guidelines for password management, companies must adopt a series of measures and practices to ensure the right protection for sensitive information in their own systems. Some tips for proper password management are:
- Implement strong authentication methods, such as multi-factor authentication, to add multiple protection layers and improve the defense of digital identities;
- Regularly evaluate and update identity management processes to ensure they are effective, efficient and up-to-date with all the new rules and guidelines in terms of users safety on Internet;
Regularly train employees on identity management best practices, including password security and social engineering tactics; it’s also key to train employees and co-workers on the importance of business multi-factor authentication systems, like Namirial SafeAccess, the solution to increase corporate data protection with secure access for employees and users.