Reasons Why NIST Password Requirements Should Drive Your Password Strategy in 2020
Despite the doubters claiming that passwords will go the way of overhead projectors, they are still prevalent. They are still the back-up factor for most other authentication solutions and show no sign of extinction because every organization has a password-supported infrastructure in place. Fortunately, NIST has invested time and research to develop NIST password requirements that can reduce user friction and improve password policy.
It is long overdue for organizations to rethink how they approach password security policy. This includes screening to ensure their users are not selecting weak passwords, checking to see if a good password becomes exposed using automation, and stopping reliance on enforced password resets to mitigate the risk of a breach.
With the 2020s rapidly approaching, businesses need to accept that the archaic password expiration practice, while it may check a compliance box, can still leave them exposed. The latest NIST password requirements provide clarity on a modern approach that will address organizations’ concerns and be less onerous for employees.
So, what should organizations do when it comes to password security?
3 Key Elements of the NIST Password Requirements
There are a few key NIST password requirement recommendations that companies should adhere to that will mitigate their risk:
1- End the random algorithmic complexity.
Enforcing unnecessary password complexity requiring a mix of special characters, numbers, and upper case letters is a practice that can stop. This practice has been shown to frequently result in weak passwords as many users will just substitute a letter with a number and attackers know the most common ones that people use (for example, 1 replaces i or an l; 0 replaces O, etc.)
2- Remove periodic password reset requirements.
This is one of the biggest frustrations for employees who are forced to change their password multiple times per year. Studies have shown requiring frequent password changes is counterproductive to good password security because people will choose weaker or common passwords if they are forced to change their password regularly.
3- Make screening of new passwords against lists of common or compromised passwords mandatory on a daily basis.
Password screening (aka password filtering or monitoring) is a critical step that organizations must factor into their cybersecurity strategy. Otherwise, you run the risk of having a process in place that ensures new passwords are strong and unique but fails to check if these passwords are already compromised. Even a strong password can be weak if it is compromised. You can’t drive a car safely without the brakes working on a daily basis and you shouldn’t do the same with employee passwords. We believe that the ongoing screening of passwords against compromised lists should be mandatory.
By adopting the NIST password requirements, password security will no longer be a weak link for enterprises. If you want to future proof your password policy to mitigate the risk of employee account takeover, then check out how Enzoic can help you.