It’s difficult enough to remember one good password a year. However, frequent password changes can actually make security worse. Many companies ask their users to reset their passwords every few months, thinking that any unauthorized person who obtained a user’s password will soon be locked out. So instead of forcing users to create more complex passwords, ask them to create longer ones if you want to improve password security. And while it technically does make a password more difficult to crack, most password-crackers worth their salt know users tend to follow these patterns and can use them to reduce the time needed to decrypt a stolen password.Īdditionally, as password complexity increases, users tend to reuse passwords from account to account, increasing the risk that they could be the victim of a credential stuffing attack if one account is breached. Unfortunately, many users will add complexity to their password by simply capitalizing the first letter of their password or adding a “1” or “!” to the end. And that’s why NIST has also removed all password-complexity requirements from their guidelines.įor example, many companies require that users include special characters, like a number, symbol, or uppercase letter, in their passwords to make them harder to decrypt. However, additional research shows that requiring new passwords to include a certain amount of complexity can actually make them less secure. This is why the NIST guidelines call for a strict eight-character minimum length. Here’s a great example of how password length benefits you more than complexity on a technical level: But in reality, password length is a much more important factor because a longer password is harder to decrypt if stolen. Length > ComplexityĬonventional wisdom says that a complex password is more secure. Here’s what the NIST guidelines say you should include in your new password policy. However, it’s not just your users’ responsibility to ensure their passwords are up to par - it’s also up to you to ensure that the passwords are strong enough (especially in light of how the FTC handled the TaxSlayer case). Password security starts with the physical creation of that password. So if you’re looking for what actually works for password security in 2020, here’s what the NIST says you should be doing (in plain English). In fact, many corporate security teams are already using the NIST password guidelines as a baseline to provide something even more powerful than policies: credibility. Although they’re required only for federal agencies, they’re considered the gold standard for password security by many experts because of how well researched, vetted, and widely applicable they are for the private sector. That’s where the National Institute of Standards and Technology (NIST) password guidelines (also known as NIST Special Publication 800-63B) come in. However, while there are a lot of conventional password security practices that seem intuitive, a lot of them are misleading, outdated, and even counterproductive. Needless to say, a key part of overall information security is securing your users’ passwords. They are considered the most influential standard for password creation and use policies by many password cracking experts.Īccording to the Verizon Data Breach Investigations Report, compromised passwords are responsible for 81% of hacking-related breaches. They were originally published in 2017 and most recently updated in March of 2020 under” Revision 3 “or” SP800-63B-3. The NIST Password Guidelines are also known as NIST Special Publication 800-63B and are part of the NIST’s digital identity guidelines.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |