In 2003, the National Institute of Standards and Technology (NIST) authored a document on password best practices for businesses, federal agencies, and academic institutions. More recently, however, the institute has reversed its stance. Find out why and what great passwords are made of.
The problem
The issue isn’t necessarily that the NIST advised people to create passwords that are easy to crack, but it steered people into creating easy-to-remember, predictable passwords, using capitalization, special characters, like “P@ssW0rd1.”
This may seem secure, but in reality, these strings of characters and numbers could easily be compromised by hackers using common algorithms, or even just a good old-fashioned guess.
To make matters worse, NIST also recommended that people change their passwords regularly, but did not define what it actually means to “change” them. Since people thought their passwords were already secure with special characters, most only added one number or symbol, typically a capital at the beginning, an exclamation point at the end, or another number in a sequence, e.g. adding a 5 onto "Passw0rD!1234".
Recently, the institution admitted that this scheme can cause more problems than solutions. It has reversed its stance on organizational password management requirements, and is now recommending banishing forced periodic password changes and getting rid of complexity requirements.
The solution
Security consultant Frank Abagnale and Chief hacking officer for KnowBe4 Kevin Mitnick both see a future without passwords. Both security experts advise enterprises to utilize multi-factor authentication (MFA) in login policies.
This requires users to present two valid credentials to gain access to their data. For instance, a code texted to an employee’s smartphone can serve as an added security measure to thwart hackers.
Even better, FrameWork already employs some other methods to help keep you secure, such as:
- Anti-Virus Tools -- To protect you from malicious files downloaded directly or emailed to you.
- Account monitoring tools – recognizes suspicious activity and locks out hackers.
- IPS (Intrusion Prevention Systems) -- to prevent malware and other threats from breaching your networks.
When it comes to security, most people's greatest weakness is a lack of education on best practices and policies. If you want to learn about other ways that FrameWork can enhance your business' security posture, or if you have any questions, give us a call at 503-342-8717!