A decent password, according to the National Institute of Standards and Technology (NIST), should include upper- and lowercase characters, numbers, and symbols. The NIST, on the other hand, has suddenly changed its mind about good passwords. Here's why, and what they're advising today.
The problem isn’t that the NIST urged individuals to use easy-to-crack passwords; it’s that their earlier recommendations accidentally encouraged people to use passwords like “P@ssW0rd1,” which contain predictable capitalisation, special characters, and numerals.
The string of characters that make up such a password may appear secure, but hackers employing simple techniques may readily crack it.
Furthermore, while the NIST advised users to update their passwords on a regular basis, they did not explain how or when to do so. Many individuals assumed that this meant changing or adding one or two characters every year or so without sufficient instruction.
The National Institute of Standards and Technology (NIST) effectively forced everyone to adopt passwords that are difficult for humans to remember but easy for a hacker’s algorithm to crack.
The institution eventually confessed that its suggestion causes more issues than it addresses. The NIST has since revised its position on corporate password management standards, advising that mandated periodic password changes be phased out and that complexity requirements be removed entirely.
Both security consultant Frank Abagnale and Kevin Mitnick, Chief Hacking Officer for KnowBe4, see a future without passwords. Multifactor authentication (MFA) should be implemented in login policies, according to both security experts.
To get access to an account, a user must input one or more valid credentials in addition to a password. A physical security key, a login prompt on a mobile device, or a facial or fingerprint scan could all be used. Hackers would be unable to crack passwords without the additional security requirements.
Mitnick also suggested using long passphrases of at least 25 characters, such as “recedemarmaladecrockplacate” or “cavalryfigurineunderdoneexalted.” These are significantly harder to guess and less vulnerable to hacking. To put it another way, passwords should be lengthier and include meaningless phrases and words that are nearly impossible to crack by an automated system.
Furthermore, the NIST advises that new passwords be screened against lists of commonly used or hacked passwords. This is because, once a sophisticated, 25-character password has been compromised, it is already regarded weak.
Finally, you should also enforce the following security solutions within your company:
- Single sign-on – allows users to securely access multiple accounts with one set of credentials
- Account monitoring tools – recognizes suspicious activity and locks out hackers from the network OR keeps hackers from accessing the network.
When it comes to security, ignorance is your business’s kryptonite. If you’d like to learn about what else you can do to remain secure, just give us a call.