Follow these NIST Guidelines to Boost Password Security

June 11, 2018 |

According to a 2017 survey of business executives, approximately 53% of U.S. businesses reported a cyberattack last year. With the increase in breaches, stems the need for increased online security and identification standards, specifically practical recommendations for effective passwords.

In response to this growing need, the National Institute of Standards and Technology (NIST) recently revised its guidelines on creating passwords. NIST, a federal agency that promotes U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life, created these new guidelines as a way to simplify the password-making process for users.

“The traditional guidance is actually producing passwords that are easy for bad guys and hard for legitimate users,” says Paul Grassi, senior standards and technology adviser at NIST.

While NIST acknowledges that past password recommendations have been blurry at best, the new policy aims to reduce user frustration and boost security.

Establish a Baseline Policy for Your Organization

Use NIST’s recommendations for creating passwords:

  • Choose Specifications: Increase the minimum password length to eight characters and the maximum length to 64 characters. Keep passwords “long, simple and memorable,” said Grassi.
  • Check Against Commonly Used Phrases: Check passwords against frequently stolen passwords to help determine their strength. Hackers will often try a “dictionary test” by plugging in ordinary words.
  • Avoid Personal Information: Personal information in your password is a recipe for disaster. Identifiers, such as your name, can be easily accessed or guessed by someone trying to compromise your account.  
  • Use Multifactor Authentication: Adding a step after typing in your password can maximize security. For example, some apps send a code to your laptop or phone to gain full access to your account.

Avoid these Common Misconceptions

  • Mandatory Password Change Every 90 Days: Users do not dramatically change their passwords when faced with a 90-day limit. Rather, choosing a strong password from the start is your best option. According to Grassi, “… you’re not changing your entire password; you’re shifting one character… everyone does that, and the bad guys know that.”
  • A Good Password Must be Lengthy: Data shows that a 10-character password can be effective. According to Fahmida Y. Rashid, a senior writer at CSO, an increase from 8 to 10 characters in your password can take more than 80 days to crack on a botnet device. Using mixed case and numbers can increase that number to almost six years.

How BARR Advisory Can Help

At BARR Advisory, we help enterprises of all sizes strengthen security, meet complicated mandates, and take business efficiency to the next level. To get a free consultation on how your organization can implement these new guidelines, contact us at [email protected].

Let's Talk