Complex Passwords are not the most secure passwords

The National Institute of Standards and Technology (NIST) once said that a good password consisted of three things: upper- and lowercase letters, numbers, and symbols. However, the NIST has now reversed its stance on good passwords. Here’s why and what they are now recommending.

The problem

The issue isn’t that the NIST advised people to create easy-to-crack passwords, but their previous advice inadvertently made people generate weak passwords using predictable capitalization, special characters, and numbers, like “P@ssW0rd1.”

Such a password may seem secure, but the string of characters it’s made up of could easily be compromised by hackers using common algorithms.

Furthermore, while the NIST also recommended that people change their passwords regularly, they did not specify how and when to change them. Without proper guidance, many people assumed that this meant adding or changing one or two characters every year or so.
The NIST essentially forced everyone to use passwords that are hard for humans to remember but easy for a hacker’s algorithm to crack.

Eventually, the institution admitted that their recommendation creates more problems than it solves. The NIST has then reversed its stance on organizational password management requirements, and is recommending banishing forced periodic password changes and getting rid of complexity requirements.

In my experience as an IT manager, I ran into the same problems.  I found it common for users to create a password so complex, that they would write it on a sticky note.  They would also use it for many different sites, essentially…

The solution

Security consultant Frank Abagnale and Chief Hacking Officer for KnowBe4 Kevin Mitnick both see a future without passwords. Both security experts advise enterprises to implement multifactor authentication (MFA) in login policies.

MFA requires a user to enter one or more valid credentials aside from a password to gain access to an account. This could be a physical security key, a login prompt on a mobile device, or a facial or a fingerprint scan. With these additional security requirements, hackers’ attempts to crack passwords would be futile.

Moreover, Mitnick recommended implementing long passphrases of 25 characters or more, such as “recedemarmaladecrockplacate” or “cavalryfigurineunderdoneexalted.” These are much more difficult to guess and less prone to hacking. Simply put, passwords should be longer and include nonsensical phrases and words that make them almost impossible for an automated system to crack.

What’s more, the NIST recommends making screening of new passwords against lists of common or compromised passwords mandatory. This is because a complex, 25-character password is already considered weak the moment it has been compromised.

Beringer provides security services that ensure complete end-to-end protection.  Here’s what we do:

• We identify vulnerabilities via comprehensive risk assessments
• We keep you updated on high impact IT threats
• We design a strategy that addresses your vulnerabilities
• We provide routine security audits to help you achieve compliance
• We routinely monitor and maintain security solutions to ensure your systems are fully secure
• We develop a strategic approach to data access and management

Contact Beringer Today!

If you concerned about the quality of your passwords and your overall network security, then reach out to Beringer Technology Group today. We can also help evaluate your current cybersecurity posture with our our Cyber Security Risk Assessment Solution, and implement the right security solutions for your organization.

Beringer Technology Group, a leading Microsoft Gold Certified Partner specializing in Microsoft Dynamics 365 and CRM for Distribution also provides expert Managed IT Services, Backup and Disaster Recovery, Cloud Based Computing, Email Security Implementation and Training,  Unified Communication Solutions, and Cybersecurity Risk Assessment.