Lock It Down. Password Essentials.

Cybersecurity blog - two-factor authentication

Passwords. Ugh! Everyone hates them. All the rules!
Change your password.
Minimum Length
Complexity.
Don’t reuse.
Each Unique.
Remember them all!

The National Institute of Standards and Technology (NIST) has been a resource for setting standards in a cybersecurity framework. Recently, NIST has adjusted the recommendations of password guidelines. This includes the recommendation of longer passwords as opposed to enforcing combinations of upper/lower case, number and special character. The argument is that while password complexity does make for a stronger, harder to crack password it can lead to predictable patterns that may actually make the password weaker. A way to combat this problem is through the use of a password generator. Then, each unique password should be stored within a password manager.

NIST is no longer recommending periodic password resets or expiration. The belief is that frequent changes of passwords will cause users to forget them and result in the setting of weaker passwords. Password changes should only take place when there is evidence of a compromise.

NIST’s revisions include the phrases “should”, “should not”, “shall”, and “shall not”. This word-smithing changes the intent of the advice from a recommendation to an instruction.

Here’s a snapshot of the NIST password guidelines:

  • Length should be a minimum of 15 characters.
  • Complexity should not be imposed.
  • All ASCII and UNICODE characters should be allowed.
  • Hint or questions should not be used for authentication.
  • New and changed passwords are required to be checked against a blocklist of known bad passwords.
  • Expiration is not required.
  • MFA suggestions include time-based one-time (TOTP), biometrics and hardware tokens. SMS is discouraged.
  • Password managers are recommended.

The NIST guidelines make sense and can lead to a more secure environment. Passwords are important. It is the first layer of protecting your online assets. Adding MFA (NIST recommended) can add an additional layer. There are many recommendations and guidance for implementing a password policy in your organization. Consider who your users are, what they have access to and how you have your network protected.

Resources:
NIST Digital Identity Guidelines