Earlier this year, the National Institute of Standards and Technology (NIST) released new guidelines for creating a strong password. These guidelines replace previous and outdated ones and are designed to make passwords more secure. In this blog post, we will go over these new guidelines and discuss how you can implement them into your business and keep your data safe from malicious attacks.
Don’t Require Regular Password Resets
One of the most important changes that NIST made is that they no longer recommend requiring regular password resets. This practice has been shown to be ineffective and actually make passwords less secure. A study by Microsoft found that users who were required to reset their passwords frequently were more likely to use weak passwords and reuse them across multiple accounts.
Implement Multi-Factor Authentication
Multi-factor authentication(MFA) is another security measure that NIST recommends using. This involves using more than one method to verify your identity, such as a password and a fingerprint scan. Multi-factor authentication can help protect your account from attackers even if they manage to steal your password.
Why are MFA’s more secure? Well, for starters passwords can be guessed or stolen, but a fingerprint or custom code cannot. Additionally, if someone does manage to get your password, they would not be able to access your account without also passing through the second layer of security.
Screen Your Passwords
It’s now recommended that users screen their passwords against lists of commonly used passwords that hackers can guess. This can be done by using a password manager or a service that checks the strength of your passwords. Services like these can help you create strong passwords that are difficult to guess.
Strong passwords usually include a mix of uppercase and lowercase letters, numbers, and symbols. They are also at least eight characters long.
Limit Failed Password Attempts
NIST also recommends limiting the number of failed password attempts. Limiting your failed password attempts can help keep your accounts secure by preventing attackers from gaining access to them if they guess your password incorrectly. This can help protect your account from brute force attacks, which are when hackers try to guess your password by trying different combinations until they find the right one.
Remove Password Hints and Knowledge-based Authentication (KBA)
Your organization should update its password policy to not allow employees or users with internet access to request a password hint. Instead, it’s recommended to have users confirm their identity and reset their password using Multi-factor authentication or Two-Factor Authentication. NIST password guidelines also recommend not using knowledge-based questions such as “First Pets Name, Your Hometown, or favorite movie?” as these questions can be found through social engineering.
Salt and Hash Your Passwords
Both salt and hashing are used to protect passwords from being cracked. Salt helps make passwords more secure by adding an extra layer of security, and hashing helps keep passwords hidden even if they are stolen.
Salt and hashing are two more security measures that NIST recommends using. Salt is a random string of characters that is added to passwords before they are hashed. This makes it difficult for hackers to reverse the hash and figure out your password. Hashing is a process that converts passwords into a unique string of characters.
Secure Your Data Using NIST Password Guidelines
The NIST password guidelines are designed to make passwords more secure. These guidelines include using multi-factor authentication and screening your passwords against lists of commonly used passwords. You can also limit failed password attempts, salt and hash your passwords, and use strong passwords that are difficult to guess. Implementing these guidelines along with other cybersecurity measures can help keep your accounts safe from hackers.
To learn more about the NIST guidelines and how to further protect your data, contact an IT professional from Throttlenet today.