There are a few key NIST password standards that companies should adhere to that will mitigate risk:
1. End the random algorithmic complexity.
National Institute of Standards and Technology (NIST) now recommends everyone use longer passwords or passphrases of 15 or more characters without requiring uppercase, lowercase or special characters. The extra length of a passphrase makes it harder to crack while also making it easier for the user to remember. Enforcing unnecessary password complexity requiring a mix of special characters, numbers and upper-case letters is a practice that can stop. This practice has been shown to frequently result in weak passwords as many users will just substitute a letter with a number and attackers know the most common ones that people use (for example, 1 replaces i or an l; 0 replaces O, etc.)
2. Remove periodic password reset requirements.
This is one of the biggest frustrations for employees who are forced to change their password multiple times per year. Studies have shown requiring frequent password changes is counterproductive to good password security because people will choose weaker or common passwords if they are forced to change their password regularly.
3. Make screening of new passwords against lists of common or compromised passwords mandatory on a daily basis.
Password screening (aka password filtering or monitoring) is a critical step that organizations must factor into their cybersecurity strategy. Otherwise, you run the risk of having a process in place that ensures new passwords are strong and unique, but fails to check if these passwords are already compromised. Even a strong password can be weak if it’s compromised. You can’t drive a car safely without the brakes working on a daily basis and you shouldn’t do the same with employee passwords. We believe that the ongoing screening of passwords against compromised lists should be mandatory.
By adopting these password requirements, password security will no longer be a weak link for your business. If you want to future-proof your password policy to mitigate the risk of employee account takeover, contact Lane Technology Solutions and see how they can help you in your goal to better cybersecurity.