Just in time for National Cybersecurity Awareness Month, the National Institute of Standards and Technology (NIST) has updated its password security guidelines in a way that brings some major changes to conventional wisdom on the topic. The changes appear in NIST Special Publication 800-63B, aimed at cloud services providers (CSPs). Some of the revisions will be requirements for CSPs while others are recommendations, but all are worth understanding for any organization. Here’s a look at the highlights.
That whole business of mixing upper- and lower-case letters, numbers and special characters? NIST says password length is more important, with longer passwords being both more secure and easier for users to remember. After all, it’s pretty predictable that your ‘a’ turns into ‘@’ and ‘s’ into a dollar sign.
NIST says passwords must have a minimum length of 8 characters (minimal indeed) and should be required to be 15 characters or more, but advises CSPs to allow passwords of up to 64 characters. And even though the mixing of character types is no longer considered a best practice, NIST recommends allowing all printable ASCII and Unicode characters, as well as spaces. We advise a password length of at least 15 characters and recommend the use of passphrases, where each password character represents the first letter of a word in an easy-to-remember phrase.
In another major shift, NIST says CSPs should not require passwords to be changed periodically, except in cases where one has been compromised. When users are required to change passwords on a regular basis, those passwords tend to become weaker over time. However, NIST does say that users should be required to verify their full password at least once every 30 days.
You might not recognize the term “knowledge-based authentication” (KBA), but you have no doubt been asked to provide your mother’s maiden name or the name of your high school mascot as a security question in case you forget your password. No more, says NIST. These answers are too easy for hackers to obtain via social engineering.
Still on the NIST’s thumbs-up list are two-factor and multi-factor authentication (2FA and MFA), which they say should be used “whenever possible.” And they suggest that CSPs employ hashing and salting of stored passwords (see our post on hashing and salting) because the computational power required to break these is likely to be time- and cost-prohibitive.
While you may not have the ability to change your own organization’s password requirements, the NIST bulletin is well-informed advice about best practices that make life more difficult for hackers, and that’s the goal for @ll 0f u$.
Questions about this or other cybersecurity issues? Contact Hill Tech Solutions.
