Businesses like yours often struggle with password policies. We all know employees shouldn’t use overly simple passwords, nor should they use the same password on multiple sites. But what exactly should they do? How long should passwords be, and how often should they be changed?
Here’s some help from the National Institute of Standards and Technology (NIST). NIST guidelines were created to help federal agencies comply with the sea of alphabet soup including FISMA, SOX and HIPAA, but they’re very highly regarded in the private sector as well.
The NIST Password Standards are a part of the NIST Cybersecurity Framework, a 55-page document that details how to keep cybercriminals away. And the latest password standards flip some of the old, conventional knowledge on its head. Here are some highlights:
Show password while typing: Many sites frown on this option, believing it to create a security risk if others can view a password onscreen. But taking this option away pushes users to choose simpler passwords, offsetting any good it might do. So go ahead and let your users see what they’re typing.
Simplify: You know all those sites where your password must contain “one upper case letter, one lower case letter, one number and one special character?” Bad idea, says NIST. This requirement leads to poor behavior by users, who forget their complicated passwords and again, replace them with simpler ones.
Don’t change: This one seems counterintuitive, but NIST now recommends against forcing employees to change passwords at regular intervals. Why? Employees struggle to come up with variations they haven’t used before and once again … they go with simpler ones.
Length: How long should a password be? NIST guidelines suggest a minimum of eight characters when set by a human, and six when set by a machine. That’s the minimum, but longer is better: NIST encourages passwords of up to 64 characters or even more if possible.
Also to be noted from the NIST guidelines: thumbs-down to those password “clues;” thumbs-up to limiting the number of login attempts, and surprisingly, a big “no” to two-factor authentication (2FA) that involves receiving a text. SMS delivery is vulnerable to advanced cybercriminals, so better to avoid texting entirely.
Questions about passwords, or cybersecurity in general for your business? Contact Hill Tech Solutions.