NIST Releases New Password Rules: What Does It Mean for You?
Editor’s note: In recognition of National Cybersecurity Awareness Month this October, we are publishing a series of blog posts dedicated to educating and informing you about cybersecurity practices. This is the seventh in a series of posts. Below, you can find a list of links to the rest of the series:
- What is a Pig Butchering Scam and How Do You Protect Yourself?
- 6 Conditional Access Policies You Should Turn on Now
- Tips for Running an Effective Cybersecurity Awareness Campaign
- What is Quishing and How Do You Protect Yourself?
- Early Warning Signs Your Employees Need to Look Out for and Report to IT
- My Dad Lost Thousands of Dollars in a Romance Scam. Here’s How They Work and How to Protect Yourself
- 7 Reasons Your Organization Needs Cybersecurity Insurance
- Why Does My Organization Need Cybersecurity Insurance and an MSP?
- Top 3 Cybersecurity Threats We Uncovered at GrrCon 2024
- Why Keeping a File with Passwords on Your Computer is a Terrible Idea
- How Do Passwords Get Hacked?
- What Happens When You Use the Phish Alert Button?
- Why Does Social Engineering Happen?
The National Institute of Standards and Technology (NIST) recently proposed new password guidelines that validate what many managed service providers have been recommending for years.
The goal is to eliminate outdated methods that, at face value, appear to improve security but lead to people using predictable and weaker password patterns.
What are the Updated Password Guidelines?
For a full list of NIST’s recommendations for online service providers, click here. Here are our key takeaways:
- Don’t make symbols, numbers and uppercase letters mandatory: Stop forcing users to create complicated passwords with arbitrary rules.
- Less frequent password changes: Don’t force password changes every 30, 60 or 90 days.
- Longer passwords: Passwords should be at least 15 characters.
“While these guidelines are meant for online service providers and not designed to tell you how to create passwords, there are some takeaways you can implement into your password habits.”
Why Does This Matter?
For the longest time, complexity has been at the root of selecting secure passwords. Forcing you to create a password with at least one lowercase letter, one uppercase letter, a number and a symbol makes it very difficult for a hacker or program to crack.
But when people are forced to abide by these rules and then forced to change that password regularly, they tend to create patterns that seem secure and unique on paper but aren’t.
How many times have you been forced to change your password only to add one number, one symbol, the month or the year at the end of your original password? Hackers know these tricks, and it doesn’t make your accounts more secure.
Instead, you should try to create longer passwords (or passphrases) that are easier to remember and satisfy the 15-character or higher recommendation. A passphrase like “GreenPhoneTurkeyDrive” is much stronger than “P@$$W0rD2024,” easier to remember and doesn’t fall into a pattern that can be easily guessed.
The point is to stop relying on complexity and start focusing on length and uniqueness.
What Should You Do Now?
While these guidelines are meant for online service providers and not designed to tell you how to create passwords, there are some takeaways you can implement into your password habits.
- Create long passwords: Avoid short, weak passwords and strive for at least 15 characters. Consider passphrases that are easier to remember.
- Stop changing passwords unless you have to: Only change your password after a data breach. As noted, changing your password regularly usually leads to weak, predictable patterns anyway.
- Use a password manager: If you’ve got too many passwords to remember, try a password manager. There are free versions of LastPass, Bitwarden, KeePass and Dashlane that can generate secure passwords for you and store them safely.
Keep Your Organization’s Data Secure
Need help improving your password security or finding the right tools for your business? Contact us here to see how we can help keep your business running smoothly while increasing productivity, security and profitability.
Did you like this blog? You can subscribe to our newsletter to receive a weekly email with our latest blog posts.