The National Institute of Standards and Technology (NIST), a physical sciences laboratory and a non-regulatory agency of the United States Department of Commerce, recently released their guidelines for password security. Some of them are contrary to what we’ve come to believe are good password policies. Our IT security expert will talk more about these guidelines in our upcoming webinar. Let’s take a look at what some of them are.
First comes the long-debated aspect: password length. NIST guidelines say that passphrases are recommended as they are more secure than even complex passwords. For example, “ThisIsNotAGoodPasswordExample” would be harder to crack than “B@dex@mp1E.” The NIST now recommends that we use longer strings with 15 or more characters in length, but it doesn’t require complexities such as uppercase or special characters.
Next comes the password expiration policy. This is one of the policies that employees have long been frustrated about, and now they can heave a sigh of relief. Studies have shown that frequently changing passwords does not boost an organization’s security. The NIST no longer recommends password expiration and instead suggests changing passwords only when necessary.
The NIST also recommends that employee passwords should be screened against a list of passwords that are commonly used or have been compromised before. This is to prevent employees from using vulnerable passwords that could be a gateway for attackers to enter into their organization.
The NIST discourages the use of password hints. These hints make it easier to guess a user’s password. With the abundance of information that we share online, it’s not hard to find the answer to a question like, “What’s your favorite color?”
Besides these guidelines, the NIST recommends several other practices that are surprisingly easy to implement in your organization. Join our webinar, and learn how to implement NIST guidelines in your organization.