Are your passwords secure? The latest recommendations come from NIST

secure passwords

35% of cyber-attacks today are still attributable to password breaches. Lost or stolen credentials remain one of the main tactics used by cybercriminals to carry out fraud and breaches of various kinds.

Over the past year, when work has alternated between home and office, password security has become even more crucial. Smart working has increased the attack surface, highlighting the importance of the correct use of passwords to build a solid fence against cyber threats.

In recent years, we have become used to applying rules based on various best practices to create secure passwords. These rules focus on password uniqueness, complexity and update.

Unfortunately, while fundamental, this advice has led many users to create weaker rather than stronger passwords to tackle uniqueness, complexity, and frequent updates with just a few characters.

Given that violation rates are still very high, the National Institute of Standards and Technology (NIST) has produced a new publication to address the issue. NIST Special Publication 800-63B (Guidelines for Digital Identity – Authentication and Life Cycle Management) provides appropriate tips and timely response to new threats.

To guide users on the subject, Microsoft and the National Cyber Security Center (NCSC) have also published new guidelines on password management and security.

What are the top tips for making our passwords even more secure?

Practical tips for secure passwords 

Where possible, increase the length of the password while reducing its complexity

Creating complex passwords continues to be a crucial element in making them secure. Unfortunately, this good practice generated the bad habit of reusing the same password several times, with only minor changes. According to the National Cyber Security Council, people tend to use predictable patterns to satisfy the required complexity criteria (such as replacing the letter ‘o’ with a zero, ‘a’ with @, or ‘i’ with !). Unfortunately, hackers are also very familiar with these strategies and frequently use them to boost their attacks. Therefore, the length of passwords is now a crucial factor in making them secure. A longer password is statistically more difficult to crack. NIST recommends that companies set the maximum password length to 64 characters. This requirement allows the use of unique and personal passphrases. It helps users remembering longer passwords, making them easier to remember and much harder to guess.

Create a different password for each account, making it difficult to guess

Recycling passwords is a common problem. According to a Google survey, 52% of people tend to reuse the same password on more than one account. This habit has led hackers to carry out cyberattacks based solely on compromised password lists purchased on the dark web. By using lists of stolen credentials, hackers attempt to gain access to accounts through compromised password lists. To avoid falling victim to cybercrime, it is extremely important never to use the same password for different accounts. You should also avoid dictionary words, repetitive or sequential strings, already used passwords, commonly used passphrases. These are all patterns that hackers can easily guess.

Update passwords regularly, but do not use easy-to-decipher patterns

It is good practice to change passwords regularly. Many companies require their employees to do so at regular intervals. However, this practice can become counterproductive and compromise security if predictable behavioural patterns are employed, such as choosing a new password that is only slightly different from the old one. Changing a single character or adding a symbol similar to a letter (such as ! replacing I) will not be enough to stop cybercrime if the password is already compromised. 

NIST, therefore, recommends that organizations remove the requirement to make password security more user-friendly. Assuming that a password is not compromised yet, there is no reason to let it expire. However, if the password is already stolen, it would make no sense to wait for the expiry date to change it.

For more info…