BEI employee and password security

Improve your security by following NIST password guidelines

You work hard to protect your business and your data from cybersecurity attacks. You backup your files regularly and keep your antivirus and malware protection up-to-date. But you also employ imperfect people who may be unwittingly putting your business at risk with one simple, and very common, mistake.

You may even be putting your business at risk yourself. Most people are guilty of using the same passwords for many accounts. This widespread password reuse sets you up to be an easy target for cyberattacks.

One popular method employed cybercriminals is large-scale Account Takeover (ATO) attacks on web and mobile applications. Improving password security is one of the most effective ways to prevent these type of attacks.

It is imperative to educate users on how to select strong, unique passwords for each account. The National Institute of Standards and Technology (NIST) provides up-to-date Digital Identity Guidelines.

Based on their guidelines, we have compiled the following suggestions to help you improve your password creation processes and educate your employees accordingly.

Basic password guidelines

These are the most basic guidelines provided by the NIST when it comes to password creation.

  • An eight character minimum and 64 character maximum length. Longer is better, and something that is memorable, but hard to guess, is best.
  • The ability to use all special characters, without special requirements on how to use them
  • Restrict sequential and repetitive characters (e.g. such as abcde or 11111)
  • Restrict context specific passwords (e.g. business name, the name of the site, etc.)
  • Restrict commonly used passwords (e.g. password1, etc.)
  • Avoid the use of password hints. Many accounts will allow you to select a hint in case you forget your password. Hints can compromise even the strongest of passwords.

Remove periodic password changes

Many businesses require users to change their passwords every four to eight weeks. Several studies have shown that requiring frequent password changes is actually counterproductive to security. This practice frustrates users and may cause poorer password generation. The NIST recommends removing this policy entirely.

Time to changing password

Remove arbitrary complexity requirement

Many passwords have requirements: you must have at least one upper case letter, two special characters, and a number. But not that special character. We have all seen the pop-up informing us that our password doesn’t meet the requirements. It is frustrating and eye-straining to examine the tiny print in an attempt to figure out what password rules you’re breaking.

Much like frequent password changes, this policy may actually result in worse passwords. The NIST recommends allowing special characters, and not limiting how these characters are used.

Screen new passwords

A brand new guideline, the NIST now suggests screening passwords against a “blacklist” before use. The list should include the following:

  • Words found in the dictionary
  • proper nouns (e.g. names, locations, the name of the service/business)
  • any specific passwords from previous breach corpuses
  • common passwords (e.g. “p@ssword”, “12345”, “monkey”, “qwerty”, and “letmein”)

Screening for these passwords can minimize the risk of data breaches. It can help prompt users to craft more unique passwords.

Easy to remember, hard to guess

One of the most important guidelines to follow when creating a password is creating a password that is memorable. You should never, ever post your password where others can see it. Traditional thought has been that if a password is easy for us to remember, it is easy for a hacker to guess. This does not have to be the case.

Take a look at the following suggestions for crafting a unique and memorable password:

  • While it is imperative to avoid using common words, consider using a word or phrase with personal meaning. An inside joke or unusual catchphrase is a great starting place, for example, “NeverDanceWithAngryElvis”.
  • Include numbers, capital letters, and special characters. Using the example above, you might change it to, “N3v3rD@nceWith@ngry3!vis”. Replacing letters consistently, such as all A’s with @’s, makes the changes easier to remember.
  • Another option is to use an abbreviation of a sentence or title. For example, are you a hardcore Harry Potter fan? Have you seen Harry Potter and the Goblet of Fire 32 times? Then a great password might be, “HPatG0F32times!”.
  • Another effective option is to use three or four words that are separately memorable to you. String them together with dashes, periods, or another special character. For example, “Horse-Paris-Coffee-StarWars” or “Warrior.Hatchback.Toast.Mecca”.

Use multi-factor authentication

Many accounts offer multi-factor authentication. You are notified if someone logs onto your account from an unrecognized device. The typical method is to notify you by text to a mobile number that you register with the account. To verify that you are the one accessing your account you must enter a code, supplied to the mobile device.

hand holding phone

We recommend using multi-factor authentication whenever it is available. It provides an extra layer of protection for your accounts and your data.

Consider using a password manager

One way to increase your password security is to use a password manager. These programs let you create a different, very strong password for every site that you access. Instead of remembering all your passwords, you only have to remember the password to access the secure password manager.