Utilize these new recommendations for password security.
Having strong cybersecurity guidelines at your organization might seem like a daunting task. However, you can easily start protecting your company’s valuable data by implementing some simple password guidelines provided by the National Institute of Standards and Technology (NIST).
If you are new to password security management, consider starting with our password checklist. However, companies at any cybersecurity maturity level will benefit from implementing these updated guidelines our experts feel would be most beneficial to organizations like yours.
Current Recommended Password Guidelines
- Increase password length. You’re probably used to seeing a password requirement of 8 or more characters. This is because longer passwords are statistically more secure (i.e., less likely to be hacked) than shorter ones. Stick with a minimum of 8 characters for user-generated passwords and 64 characters maximum for user-generated passwords.
- NIST Note: Computer-generated passwords can have a minimum of 6 characters since they contain a randomization that often isn’t utilized when a password is user-generated.
- Utilize special characters and spaces. Going beyond alpha-numeric passwords provides additional strength to your password – the more character options available to you, the harder the password is for a hacker to compromise. Special characters now can include emojis and spaces.
- NIST Note: Try to avoid using sequential (abcd) or repeating (2222) characters as well as dictionary words.
- Reduce password complexity. A new recommendation is to limit the need to include upper case letters, symbols, and numbers. This is meant to help employees manage their passwords more easily.
- NIST Note: While a level of complexity can help, it’s not always the best addition to a strong password security plan. Determine what combination of requirements works best for your organization and your employees.
- Allow users to paste text. Permitting copy/paste functionality allows users to opt for password managers (apps that store and manage online credentials), which is shown to increase password security. Often times, users will default to words or phrases they’re familiar with and even rely on the same password for many different accounts, which severely compromises overall security. The copy/paste capability makes it easier to avoid memorable words and phrases, instead allowing for more complex passwords that can be pulled from a secure app.
- NIST Note: Be sure your passwords are stored with encryption included. This means even if a hacker manages to steal your password, they’re unable to read it.
- Prohibit password hints. While this feature has been helpful for users juggling many different passwords, it actually helps deteriorate password security. Your password hints likely make it very easy to determine your password, thus defeating the purpose of a password altogether.
- NIST Note: In addition to removing password hint capabilities, preventing use of knowledge-based authentication (KBA) questions (e.g., “What was the name of your elementary school?”) also is recommended as these answers can be found easily online.
- Advise IT to remove periodic password change requirements. While this previously was an important aspect of password management, recent studies have shown that having to change your password multiple times throughout the year actually leads to less secure passwords, and therefore more vulnerability to being hacked.
- NIST Note: While the frequent password changes requirement was an industry standard for many years, many employees likely will welcome the change, so don’t be afraid to implement it.
- Check new passwords against commonly used or compromised passwords. Your IT team can help determine if your password falls into this category and can help advise how to improve it.
- NIST Note: IT teams can utilize software to screen passwords in this way. Research and select the one that best suits your organization.
Our experts also suggest utilizing multi-factor authentication (MFA), which significantly decreases the chance of an attacker being able to “brute force” your account or compromise your credentials.