The US National Institute of Standards and Technology (NIST) has some shocking recommendations that may have you reconsidering your password policies. Discover why change may be in order and also what NIST is recommending that businesses do.

It’s time for a pop quiz. Is the following statement true or false?

It is best for companies to require employees to have long, random passwords that include mixed-case letters, numbers, and special characters.

For a long time, the dominating idea was that this statement was true, numerous firms included composition rules in their password policies. Nonetheless, the US National Institute of Standards and Technology (NIST) currently believes these policies are injuring instead of helping companies.

In an ideal world, workers follow their business’ password policies and come up with long, random passwords that include numbers, mixed-case letters, and also special characters. The passwords are solid and therefore much tougher to hack. Nevertheless, these complex passwords are much more challenging to remember and to create, particularly if employees are required to frequently change their passwords. Consequently, in the real world, employees often tend to create shorter passwords and commonly make use of tricks such as letter substitution. For example, they could use a zero for the letter “o” and an @ sign for the letter “a” to create passwords such as “MyP@ssw0rd”. Cybercriminals recognize these methods, so passwords like “MyP@ssw0rd” are far from being strong, even though they consist of mixed-cased letters, symbols, and numbers.

Because of these problems, NIST now suggests that organizations follow various password methods. They consist of utilizing passphrases, removing periodic password changes, as well as validating passphrases.

Using Passphrases
Rather than requiring people to produce intricate passwords that consist of numbers, signs, and mixed-case letters, NIST recommends making use of “memorized secrets”– passphrases that are easy, long, and very easy to remember.

Individuals do not have to adhere to any composition rules when creating memorized secrets. They can use any type of characters they want (even spaces), as long as the passphrases are very long. Longer passwords are cryptographically harder to break than shorter ones, also if the shorter ones consist of unique characters, according to Paul Grassi, a senior standards and technology advisor at NIST.

Plus, passphrases without special characters are a lot easier to remember. As an example, “potbellied puppies run” is a lot more memorable than “mN8b%Rc7″. And, ” potbellied puppies run ” is a lot more difficult to crack. On an average computer system, it would take more than 10,000 centuries to hack using a brute-force password-cracking tool, according to Kaspersky Lab’s password strength checker. Even the shorter passphrase ” potbellied puppies ” would take 11 centuries. In contrast, it would take just 12 days to crack “mN8b%Rc7” and 3 minutes to hack “MyP@ssw0rd”.

While the passphrase needs to be something that the user will readily be able to remember, other individuals should not be able to easily guess it. For example, an employee should not use relatives’ names in their passwords. Those details can be obtained from public information sources such as social networking websites.

Keep in mind the number of passphrases staff members will be required to remember. Needing to remember a lot of them could be challenging, prompting some to write them down which is even worse. A better alternative is to make use of a password manager. Employees can use a master password to access the manager, and afterwards make use of the tool’s random password generator to create strong passwords for their business accounts.

Get Rid Of Periodic Password Changes

Businesses commonly require staff members to alter their passwords periodically (e.g., every 90 days). NIST suggests that this practice be eliminated. Here’s why: Expired passwords typically do not motivate people to produce a brand-new strong password, according to Grassi. Rather, it inspires them to alter a few characters in the old password or follow up with the next sensible progression in a password system they’ve established. Regular password changes can also compel individuals into making use of another account’s password so that they have one less password to remember. All these actions can cause weak passwords.

The bottom line is that memorized passwords need to not have an expiration date. The only time a password needs to be changed is if it has been compromised or an employee requests a change.

Validate Passphrases

When people create their passphrases, NIST suggests that companies validate passphrases. When an employee enters a brand-new passphrase, it needs to be checked against a listing of passwords known to be compromised, anticipated, or commonly used. If the staff member’s passphrase is on the checklist, the validation system should deny it and require that the employee choose a different one.

Each company should decide what needs to be included on that list. As an example, the listing can consist of the following:

-Passwords known to be exposed from data breaches (e.g.,  listings in the Pwned Passwords database).

-Passwords containing repeated characters (e.g., “zzzzzzzzzzzzzzzzzzzzzzzzz”).

-Passwords made up of consecutive characters (e.g., “123456890987654321” or “qwertyuiop”).

-Passwords containing context-specific terms (e.g., a username or email address).

Not Sold? There Are Other Options.

NIST’s suggestions are a significant break from present password practices. There are various other methods to mitigate the dangers brought about by weak passwords if you are not sold on the proposed changes. As an example, you might consider using multi-factor authentication. We can go over all your options and help you implement the solution you feel is best for your business.