Rethinking Password Security

The importance of password security in the digital age should be a top priority for company security postures, as compromised passwords are still responsible for the majority of security breaches in 2021. Given this, organizations must place the utmost importance on adhering to industry best practices developed by organization such as the National Institute of Standards and Technology (NIST).

Recent Changes

Private organizations and federal agencies have begun to re-evaluate password management. In 2019, as part of updating their security baseline for Windows 10, Microsoft removed the requirement for periodic password resets.

Additionally, the NIST Special Publication 800-63B was updated in March 2020 and contains the password guidelines required for use by federal agencies and are considered an excellent baseline for instituting corporate password policies. These guidelines reflect best practices including:

Length Matters Most

According to NIST, password length has been found to be the primary factor in what should characterize password strength. Passwords that are created too short will be vulnerable to dictionary attacks using words and commonly chosen passwords as well as be susceptible to brute force attacks. Instead, users should be encouraged to set their passwords to be as long as the system can support. This is primarily because passwords are stored/hashed (encrypted) by an algorithm where the hashed password size is independent of its length.

Stop Arbitrary Password Resets

Most organizations require their users to arbitrarily change their password at a preset interval (e.g., every 60 days) to lock out any potential unauthorized users. This can lead to users adopting poor security practices such as changing their passwords in predictable patterns such as adding a single additional number or character to the end of the password. Therefore, NIST recommends that passwords should not be changed periodically, but instead a change should be forced if there is evidence that the password has been compromised

Use Blacklists

Another recent NIST recommendation is that blacklists should be utilized for checking if new user passwords include dictionary words, repetitive strings, previously breached passwords, variations on the company/website name, or any other words/patterns that hackers will attempt to guess. At the very least, blacklists can be used to prevent users from choosing passwords such as “qwerty” or “123456”.

How to Best Prepare

Every company could benefit from a comprehensive review and assessment of their authentication and overarching IT security policies. Clearview assists companies of all sizes in assessing and developing authentication and password policies that are appropriately sized, cost effective, and provide the most up-to-date recommendations from NIST and other leading standards.

For more information about what you need to know related to recent changes in password and authentication guidelines, please contact: content@cviewllc.com.

More in Risk & IT Risk Advisory