In 2003, the National Institute of Standards and Technology (NIST) stated that strong passwords should consist of upper- and lowercase letters, numbers, and symbols. Recently, however, the institute reversed its stance. Find out why and learn what their new recommendations are for creating strong passwords.
The issue isn’t that the NIST advised people to create easy-to-crack passwords, but their previous advice inadvertently made people create weak passwords using predictable capitalization, special characters, and numbers, like “P@ssW0rd1.”
Such a password may seem secure, but the strings of characters and numbers could easily be compromised by hackers using common algorithms.
What’s more, the NIST also recommended that people change their passwords regularly, but did not specify how and when to change them. Since many people thought their passwords were already secure because they’ve included special characters in them, most only added or changed one character.
The NIST essentially forced everyone to use passwords that are hard for humans to remember but easy for a hacker’s algorithm to crack.
Eventually, the institution admitted that this can cause more problems than solutions. It has reversed its stance on organizational password management requirements, and is now recommending banishing forced periodic password changes and getting rid of complexity requirements.
Security consultant Frank Abagnale and Chief Hacking Officer for KnowBe4 Kevin Mitnick both see a future without passwords. Both security experts advise enterprises to implement multifactor authentication in login policies.
This requires a user to present two valid credentials aside from a password to gain access to an account. This could be a code sent to the account owner’s smartphone, a login prompt on a mobile device, or a facial or a fingerprint scan. This way, hackers’ login efforts are futile unless they fulfill the succeeding security requirements.
Moreover, Mitnick recommended implementing long passphrases of 25 characters or more, such as “recedemarmaladecrockplacate” or “cavalryfigurineunderdoneexalted.” These are much more difficult to guess and less prone to hacking. As for the frequency of changing passphrases, it will depend on a company’s risk tolerance.
Simply put, passwords should be longer and include nonsensical phrases and English words that make it almost impossible for an automated system to crack.
You should also enforce the following security solutions within your company:
- Single sign-on – allows users to securely access multiple accounts with one set of credentials
- Account monitoring tools – recognizes suspicious activity and locks out hackers
What we can do to help
Today's world of ever changing technology and standards requires businesses stay on top of their security weaknesses. Passwords are the first line of defense for companies to ensure the keys to their digital kingdoms are not handed out to bad actors. Luckily we have you covered! Beringer Technology Group can work with you to develop a plan that will ensure both high level password security as well as ease of use for staff.
If you want managed 24/7 cybersecurity assistance that provides enterprise grade security that can be deployed across any organization then reach out to Beringer Technology Group today and ask about our Cyber Security Risk Assessment Solution.
Beringer Technology Group, a leading Microsoft Gold Certified Partner specializing in Microsoft Dynamics 365 and CRM for Distribution also provides expert Managed IT Services, Backup and Disaster Recovery, Cloud Based Computing, Email Security Implementation and Training, Unified Communication Solutions, and Cybersecurity Risk Assessment.