Latest on Password and Authentication Policies
Ensuring that user passwords don’t fall into the wrong hands can be challenging. Users often use weak passwords because of all the passwords they must deal with. It’s estimated that people now have about 100 passwords on average to remember.
The move to the cloud has put more assets online behind user passwords, which has caused online criminal groups to focus on credential theft. According to the latest IBM Security report, compromised credentials have become the biggest cause of data breaches.
It’s important to use solid password authentication policies to help combat hacked passwords. These policies are a vital part of your data and network security.
In the past couple of years, the National Institute of Standards and Technology (NIST) has issued updated password authentication guidelines to help organizations improve their password security.
Some of the recommendations you see below may seem counterintuitive, such as removing requirements to do frequent password resets. However, they are based upon user behavior and what’s been found to improve the security of user logins. Being user-friendly has a lot to do with it.
Following are some of the latest updates from NIST to incorporate into your own password policies.
Increase the Length of Passwords
One important factor in making passwords difficult to hack is how many characters in length they are. The longer they are, the more difficult it is for a hacker using an automated program to crack them.
NIST now recommends the following:
- Minimum of 8 characters in length for user-generated passwords
- Minimum of 6 characters in length for machine-generated passwords
Additionally, they recommend a maximum password length of 64 characters.
Allow the Use of Special Characters and Spaces
The use of special characters like @#$, emojis, and spaces can increase the complexity of passwords, making them harder to be guessed. It’s recommended that you allow these types of characters to be input for use in user passwords.
The allowance of spaces also makes it easier for users to create a passphrase instead of a password. This promotes longer, more secure passwords.
An additional NIST recommendation regarding characters is that you do not allow sequential characters (1234) or those that repeat (eeee).
Allow Pasting of Text
Some password programs do not allow text to be pasted into them. This makes it harder for users to use password managers, which help users keep track of all their passwords securely.
It’s recommended that you enable the pasting of text in any password fields. This will enable users to create strong passwords in a password manager and then paste them into the app when logging in.
Disable Password Hints
The NIST has completely outlawed the use of password hints. These hints that were supposed to help users, such as “What is your pet’s name?” can actually leave an account more at risk of being breached.
Users often make these hints too obvious, so it would be easy for a hacker to guess the password based on the hint. With so much personal information on social media, it’s also easier than ever to find information like someone’s birthday, pet’s name, or former high school mascot.
Do Not Require Frequent Password Changes
This is one of those NIST recommendations that seems counterintuitive. For years, organizations have been requiring employees to change their passwords regularly to promote security. But this has been shown to backfire.
Due to frequent password changes, employees often create weak passwords they can remember, or simply change just one character of their password instead of changing the whole thing.
Removing this requirement makes password security more user-friendly, and promotes users creating and keeping stronger passwords.
Reduce Complex Password Requirements
This recommendation is in keeping with the last one, to make password security more user-friendly. When you have too many complex requirements, such as using an uppercase letter, lower case letter, one symbol, and one number, it makes it harder for users and can decrease efficiency.
When implementing some of the other guidelines, like allowing spaces and emojis, along with reducing required complexity, you can promote the natural creation of stronger passwords that are easier for users to manage.
Compare New Passwords Against a Commonly Compromised List
A great way to keep weak passwords from being used in your system is to use automation to compare passwords that are being created against a list of commonly compromised passwords (like querty or password123).
The software can instantly reject any password that matches one on the list, so users are guided to create better passwords, which improves your overall data security.
Improve Your Password Authentication Systems With Help from AhelioTech
AhelioTech can help your Columbus area business with password authentication solutions that empower users and keep your company more secure.
Contact us today for a free quote. Call 614-333-0000 or reach out online.