login password screen

NIST Password Standards: What You Need To Know

For any managed services provider (MSP), security is at the top of their priorities list. However, managing hundreds of passwords for a range of customers is a daunting task. To protect their customers’ data, MSPs toil laboriously to roll out security strategies- but do they work??

Not only are piecemeal security strategies ineffective, but they’re also precarious. Unfortunately, ad hoc strategies leave plenty of room for errors that could potentially jeopardize the customers’ data. So how do you keep your customers’ data safe? That’s where comprehensive information security frameworks and guidelines from the National Institute of Standards and Technology (NIST) come into play.

Related: Online Security Vs Privacy

[adrotate banner=”4″]

NIST Guidelines

NIST guidelines are a set of rules engineered to help federal agencies meet the compliance requirements such as HIPAA, FISMA, and SOX. Before we delve into NIST password standards, however, we’re going to outline NIST’s concept quickly and why its guidelines and standards are highly regarded in the industry.?

Established in 1901 as the Bureau of Standards, NIST is a non-regulatory federal agency as a part of the U.S. Department of Commerce. While NIST puts out the guidelines and measures for a host of industries, it also has a long-standing history of creating the best information security practices. The NIST Cybersecurity Framework (CSF) contains criterias based on research NIST collects from a diverse range of security publications and organizations.

Due to how respected NIST guidelines have been in the industry, federal industries aren’t the only ones turning to them for support anymore. Many private sector organizations have adopted these comprehensive, credible, and customizable guidelines to help them remain compliant and keep their infrastructure secure. NIST Cybersecurity Framework and the NIST SP 800-63, both part of the NIST SP 800-63, are two of the most relevant NIST guidelines for IT professionals.?

NIST Cybersecurity Framework

Also referred to as the Framework for Improving Critical Infrastructure Cybersecurity, the NIST Cybersecurity Framework functions as an extensive set of guidelines describing how organizations can protect themselves from cybercriminals. The CSF is a 55-page document grouped into five distinct sections: identify, protect, detect, respond, and recover. While it’s not necessarily a comprehensive framework, plenty of MSPs still refer to it when creating their customers’ internal information security frameworks- or their own.?

 privacy, lock, coding

What Are The NIST Password Standards?

The NIST SP 800-63 outlines best practices that comprise the latest NIST password guidelines to go into the industry. Last updated in 2017, today’s NIST password requirements have innovated on a variety of the organization’s past password recommendations– earning approval from IT professionals all around the U.S. Here are a couple of the MSPs’ most important changes:

More Is Better

The newest NIST password guidelines advise an eight-character minimum when the password is set by a human and a six-character minimum when an automated service or system develops it. The guidelines also encourage users to think of lengthier passwords with a maximum length of 64 characters or more. All applications are required to allow any of the printable characters listed in the American Standard Code for Information Interchange, including spaces, and should also accept UNICODE characters (such as emojis).

Looking for a comprehensive cybersecurity solution? Call CyberSecurity Resource today!

Take Out The Reset

For a long time, most MSPs have advised their customers to install password reset policies in place, asking employees to change their passwords at least every few months. The NIST now says that this shouldn’t be the case anymore. The organization says that the reset periods hurt more than they help. Since users may have trouble thinking up countless creative, strong new passwords every month, they generate weaker passwords. Password strength needs to prioritize quality over quantity- one fantastic password is better than ten new, so-so ones.?

Related: How To Get An ISO 27001 Certification: A Complete Guide

More Complicated Doesn’t Mean Better.

Think about it- how many times have you set up a brand new account for a new application, digital news outlet, or online store, and saw this pop up: Your password needs to have more than one lowercase letter, one uppercase letter, one symbol, and one number? This sort of configuration was the norm for many years. However, NIST now advocates that- much like we discussed in the new reset recommendation passwords that are too complicated can lead to poor password behavior. Users who make and then quickly forget complicated passwords tend to end up relapsing into poor password behavior. If you make up a complicated password and then forget it, then you’re much more likely to replace it with one that is much weaker and easier for hackers to get into.?

Make It User-Friendly

On many login sites, the “show password while typing” screen is a rare option. NIST suggests changing this while letting users see their passwords while they put them in. Without the possibility of “show password while typing,” users are much more likely to choose shorter passwords to enter them correctly and remember them. Shorter passwords are inherently not as secure, so weaker passwords cancel out any benefits you get from these visibility blocks.

NIST also encourages IT professionals to eliminate settings that block users from pasting passwords in a similar vein. Users trying to copy and paste their passwords are a lot more likely to write and store stronger, longer passwords in password managers than those who are required to type out their password every single time they log in.

Lose The Clues

Certain accounts allow users to access a personal hint or answer a predetermined question, such as “what’s the name of your pet?” when they forget their credentials. However, while knowledge-based authentication can save users the hassle of formulating a new password, they can also be also perilous. Personal data is used in so many areas in today’s digital era, which makes it easier than ever for hackers to access breach systems and hint prompts. While these clues may save the user some time, it’s in everyone’s best interest to forego these options.

Fewer Attempts Allowed

Allowing unlimited password attempts may help users who forgot their passwords, but they end up causing more problems than helping. The latest NIST password standards suggest allowing users with a maximum of 10 login attempts before turning away- enough to give a forgetful user a hand, but not enough to make it easy for brute-force attackers.

login monitors

Related: Healthcare Cyber Security Trends: What You Need to Know

Cyber Security Resources is dedicated to providing diverse cybersecurity services and products, like security assessments and consulting. Protect your business today with Cyber Security Resources!

Looking for a comprehensive cybersecurity solution? Call CyberSecurity Resource today!


Share your thoughts