Applying NIST guidelines to improve password security

Applying NIST guidelines to improve password security

当涉及到密码生成和安全, 许多人倾向于坏习惯, such as passwords based on their birthday or using the same password across different accounts. These practices can compromise the integrity of your passwords and, 通过扩展, the security of the systems and data those passwords are meant to protect. 幸运的是, the National Institute of Standards and Technology (NIST) has published a series of guidelines you can incorporate into your password practices, 确保更安全、更安心. 

什么是NIST?

NIST is a US government agency that develops metrics, measurements, and regulations (such as the 联邦信息处理标准) to bolster the reliability and security of new technologies, including information technology. As such, federal agencies are mandated to follow NIST standards when handling sensitive data. 

Though private organizations are not required to meet these standards, NIST’s recommendations are still a valuable rubric to evaluate the security of their own systems. 此外, because NIST guidelines are internationally recognized, you can foster trust in your organization by adopting them.

NIST的建议

The last significant update to the NIST’s password guidelines was published in 2020 as part of NIST特别出版物800-63B,此后几乎没有什么显著的变化. While the document itself is quite dense in its language and phrasing, its recommendations regarding passwords can be broken down into the following:

长度胜过复杂度

NIST’s current guidelines prioritize password length over intricate character combinations as had been suggested in previous NIST publications. 现在, their standards require user-created passwords to be at least eight characters long, while program-generated ones (such as with a password generator and keeper application) can be at minimum six characters long. The maximum length in either case is 64 characters. 

All printable characters are allowed, including spaces, allowing the use of unique phrases. 此外, NIST strongly advises against the use of sequential numbers (such as “1234”) or repeated characters (such as “aaaa”) as these are heavily used and easily predicted.

避免使用常用密码

防止网络攻击, companies should actively discourage commonly used, 妥协, 或者重复的密码. Even strong, self-generated passwords can be risky if not checked against known breaches. 此外, reusing credentials across accounts allows attackers to exploit a single breach for wider access. 

Consider integrating software and tools that notify users when they create weak passwords or when weak passwords are generated for them. 另外, companies should alert employees if their chosen password appears in a data breach and urge them to create a new one.

放弃密码提示

加强保安, your organization’s password policy should eliminate password hints and knowledge-based authentication (KBA) questions such as “favorite movie” or “pet’s name.无论哪种情况, such information can be easily obtained through social engineering tactics or simple surveillance of an employee’s social media accounts. 而不是, you should leverage password reset and recovery processes that utilize multifactor authentication (MFA).  

实现MFA

As referenced above, you can strengthen your online security posture with MFA. This security solution adds a critical second layer of defense, mitigating unauthorized access even if your password is 妥协. 需要额外的验证因素, such as a temporary code sent to your mobile device or biometric verification, MFA makes it exponentially more difficult for cybercriminals to hack their way into your accounts.

每年更改密码

Contrary to their stance prior to the 2020 publication, NIST now recommends only annual resets to maintain security rather than more frequent password changes. While the multiple-times-per-year practice seems intuitive, it can backfire because hackers can often predict minor variations used in frequent password updates. 而不是, NIST建议你专注于创造强大的, unique passwords and prioritize immediate changes only if a breach is suspected.

对密码尝试设置限制

To thwart brute force attacks, NIST recommends limiting login attempts. Brute force attacks involve hackers systematically guessing password combinations, 所以通过限制尝试, you make it significantly harder for them to crack your password and gain unauthorized access.

Speak with one of our experts to learn more about password security and other ways you can safeguard your critical systems.