It's National Cybersecurity Awareness Month, which means it's the perfect time to think about data security and how you can bolster your organization's overall cybersecurity posture. One crucial aspect you should reevaluate is your password strategy.
Are you sure your passwords can effectively safeguard your company's online accounts and data?
The good news is that the National Institute of Standards and Technology (NIST) released the following guidelines on creating passwords that are both effective and easy to remember. If you’re not absolutely certain about your password practices, then add these 10 tips to improve your password strategy to your reading list, today.
1. Go For Length Rather Than Complexity
When it comes to password strength, it may seem logical that complexity would matter more than length. However, password length is far more significant because a longer combination means there are more characters to decipher, making it harder to crack.
While it may come as a surprise, adding complexity (e.g., capitalization and alphanumeric requirements) actually has the opposite effect and makes a password less secure. This is because, with every additional layer of complexity, it becomes more difficult to come up with unique passwords for each account. You see where we’re going with this, now? In order to make a handful of passwords easier to remember, people tend to use variations of one password combination, such as substituting "!" for "1" or capitalizing a random letter. For these reasons, NIST has removed all password complexity requirements from its standards.
2. Avoid Periodic Resets
Many organizations require users to change their passwords every few months, but NIST says this isn't necessary and can actually lead to weaker passwords. Password resets add complexity, and based on what we just learned about complexity, they will often drive users to adopt predictable patterns when changing their passwords, such as slightly modifying a previous password. This becomes a problem if a hacker already knows a user's old password, as they can easily guess the new one.
3. Enable "Show Password While Typing"
This feature, which is available in most browsers and operating systems, allows you to see your password as you type it. This can help prevent typos and other mistakes and encourages users to use longer passwords.
By contrast, when you can’t see what you’re typing, sometimes you can’t tell whether you made a mistake. If you’re constantly frustrated by, or worried about typos when entering your passwords, you’re more likely to set short passwords, especially since some sites allow only a limited number of login attempts.
4. Allow Password "Paste-In"
Many websites and applications allow users to paste passwords into the login field, which can be a convenient way to enter a long password without manually typing it out. This feature is especially handy, considering the average person has 100 passwords (crazy, right?!).
Many users have also started using password managers to generate and store their passwords, and the paste-in functionality simplifies the authentication procedure while also remaining secure.
5. Use Breached Password Protection
If you’re following the NIST password guidelines, every new password must be run through a blacklist that includes items such as dictionary words, repetitive sequences of characters, passwords from prior security breaches, or other commonly guessed phrases. If a password is on the list, it should not be accepted and the user should be prompted to choose a new one.
This goes hand in hand with a service called Dark Web Monitoring, which will scan the dark web for any information that is related to you or your company. Hackers will steal your passwords or other information and sell it on the dark web; this can put your company at risk if a malicious hacker gets their hands on it. Dark Web Monitoring will notify you if any of your organizational information is detected, so that you can swiftly take action and change any and all passwords.
6. Don't Use Password Hints
In an effort to assist users in remembering complex passwords, some companies provide a hint or require answering a personal question. This strategy can backfire, however, because social media and other channels make it easy for hackers to look up personal information and use that knowledge to break into people's accounts.
Think about the most common password hint prompts that you’ve used: mother’s maiden name, where you went to school, name of your best friend, the city in which you were born – all of these can easily be found by scrolling through your photos on social media, any photos other people have tagged you in, and in some cases, by doing a simple google search.
7. Limit Password Attempts
Some services, like online banking, will lock out users after a set number of failed login attempts. This can prevent someone from brute-forcing their way into your account.
The typical cybercriminal will require a lot more attempts than the user who frequently makes typos. By limiting the number of attempts, you'll make it drastically more difficult for an attacker to get into your network, which can dissuade them from even trying.
8. Use Multifactor Authentication (MFA)
We’re a strong believer in MFA, and NIST requires the use of multifactor authentication (MFA) for any database that stores personal information. MFA adds an extra layer of security by asking for at least two proofs of your identity, such as a password and a code from another device, before you are given account access. However, NIST’s criteria for acceptable forms of identification and non-authentication are quite stringent.
For example, NIST doesn't consider codes sent via Voice over Internet Protocol services or emails as acceptable MFA methods. This is because these aren't really separate channels, so they can't really prove that the user possesses the secondary device required for identity verification. However a personal device, like a cell phone, that is independent from the network, would suffice.
9. Hash Users' Passwords
Breaches are inevitable. But by hashing passwords with a secure algorithm, such as Balloon or Password-Based Key Derivation Function 2, it can be much more difficult for attackers to steal the login credentials in a compromised database. This will essentially turn your password into an unrecognizable combination of numbers and letters for anyone trying to decipher it. Note that on top of hashing passwords with a one-way key derivation function, NIST also requires organizations to salt passwords with at least 32 bits of data.
10. Secure Your Databases
Sometimes, a cybercriminal hacks into a site because the database configuration is too weak; it's just too good an opportunity to pass up. That’s why you should always fortify your defenses. Additionally, keep in mind that your administrator's authentication credentials should follow NIST standards.
A strong password strategy will be useless if you don't take steps to secure your databases from attack. You should encrypt all sensitive data, use firewalls, and be sure to keep software up to date. Having your systems up to date with the latest security measures is key in protecting your organization from being fully breached.
Follow these tips from NIST to create passwords that are both effective and easy to remember. If you need help securing your systems, drop us a line at Charles IT!