In 2003, a manager at the National Institute of Standards and Technology (NIST) authored a document on password best practices for businesses, federal agencies, and academic institutions. Recently, however, the institute has reversed its stance on what makes for truly secure password practices.
The issue isn’t necessarily that the NIST advised people to create passwords that are easy to crack, but it steered people into creating lazy passwords using capitalization, special characters, and numbers that are easy to predict, like “P@ssW0rd1.”
This type of password may seem secure, but in reality, these strings of characters and numbers can easily be compromised by hackers using common algorithms.
To make matters worse, the NIST also recommended that people change their passwords regularly, but did not define what it actually means to “change” them. Since people thought their passwords were already secure with special characters, many of us became accustomed to simply adding another number or symbol to an existing password.
In this sense, the NIST's recommendations essentially convinced everyone to use passwords that are difficult for humans to remember, but surprisingly easy for hackers to crack.
Security consultants Frank Abagnale and Chief KnowBe4 Hacking Officer Kevin Mitnick both advise organizations to mandate multifactor authentication (MFA) as part of their IT security password policy.
This requires users to present two valid credentials to gain access to their data, such as entering a code that is randomly generated by a MFA app like Authy or Duo. On the whole, MFA provides an additional layer of security to protect your data and devices from hackers.
Moreover, Mitnick recommends implementing long passphrases of 25 characters or more, such as “correcthorsebatterystaple” or “iknewweretroublewhenwalkedin5623”. These are much more difficult to guess and less prone to being hacked.
Even better, use a password management application like LastPass that randomly generates strong, complex passwords for each of your user accounts.
Ideally, organizations should also enforce the following security practices:
- Single sign-on – allows users to securely access multiple accounts with one set of credentials
- Account monitoring tools – recognizes suspicious activity and locks out hackers
When it comes to cybersecurity, ignorance is your most critical vulnerability. If you’d like to learn more about how you can protect your business, contact us today.