Password best practices are changing, and in a good way. Gone are the requirements for hard-to-remember groups of characters and the frustration of having to change passwords frequently. Here’s how your business can elevate security by implementing these updated password best practices.
These best practices come from the National Institute of Standards and Technology (NIST). NIST guidelines, while primarily intended for the government, also lead the way for best practices in the private sector. In cybersecurity, NIST guidance on everything from frameworks to password practices is based in research that applies to organizations across industries.
In short, NIST research has confirmed a couple of situations that may sound familiar. Overly complex passwords are hard to remember, so our tendency is to avoid creating them. Also, when we’re asked to change a password every 60 days, we often create a new password with only basic tweaks (for example, changing “Passw0rd1” to “Passw0rd2”). Those minor changes are not only annoying – they don’t improve security.
Updated Password Best Practices
Here’s a summary of the key updates to help you create more secure passwords.
Create Longer Passphrases Instead of Random Character Groupings
Using passphrases that make sense to you (rather than random character groupings) isn’t new. What is new is the recommendation that the longer the phrase, the better. New guidelines suggest a minimum of 8 characters but strongly recommend between 15 and 64 characters.
Think about passphrases that are easy for you to remember. Continue to avoid using the names of family members, street addresses, or other personal identifiers that could easily be found on Facebook, LinkedIn, or other online sources. Throw in a special character, like an exclamation mark, to add a little extra complexity.
For example, “IliketoeatCandy!” is easier to remember than the completely random “rt5%i(**@dP” and harder to hack.
Don’t Update Your Password, Unless …
NIST no longer recommends forcing password resets every 60 or 90 days. In fact, it discourages forcing periodic password resets UNLESS your account is breached or compromised. In that case, you obviously would need to change your password immediately.
Also, remember the cardinal rule of passwords – always use a different password for every online account, no exceptions.
Remove Random Complexity Rules
Organizations should no longer force users to include both upper and lower case, random numbers, or special characters. As we noted, if you like to use them and they’re easy for you to remember, keep doing it, but if you don’t, that’s ok too.
Keep Using Multi-Factor Authentication
Another reason these password guidelines make sense is the widespread adoption of multi-factor authentication. MFA is one of the most effective security layers beyond a password to protect your accounts.
Add a Password Manager
The average person could have upwards of 200 passwords between personal and work accounts. Even if they’re passphrases, remembering them would require a super-human memory (since we’re not supposed to write them down, especially at the office).
A password manager is the answer. You only need to remember one Master Password to access all your passwords.
Using a password manager also helps protect you from accessing a potentially dangerous website due to a typo (since the password is tied to a URL), access passwords if your primary machine is disabled, and assign passwords to other password manager users.
Your organization can also assign a former employee’s password vault to someone else or access an individual user’s vault in case of an emergency or resignation.
Be Aware of Compliance Requirements
Different compliance organizations may have slightly different requirements for passwords. For example, while NIST recommends a minimum of 8 characters but 15 is considered best practice, the PCI-DSS standard requires a minimum of 12 characters. Be aware of the requirements that best meet your organization’s needs.
Where to Start
Review your password policies with your IT team. They can make the technical changes that may be needed in your network to allow for longer passwords and remove random complexity rules. Add multi-factor authentication as a necessary security layer for all applications. Consider adding a password manager to make creating and using longer passwords easier.
If you’d like to know more about how CRU Solutions can help keep your business safer, contact us.