In 2003, a manager at the National Institute of Standards and Technology (NIST) authored a document on password best practices. The document was aimed at businesses, federal agencies, and academic institutions. Now retired, the author admits that his document was misguided.
Find out why and what great passwords are made of.
The problem
The issue isn’t necessarily that NIST advised people to create passwords that are easy to crack. However, it did steer people into creating lazy passwords, using capitalization, special characters, and numbers that are easy to predict. For instance, “P@ssW0rd1.”
This may seem secure, but in reality, these strings of alphanumeric characters can easily be compromised by hackers using common algorithms.
To make matters worse, NIST also recommended that people change their passwords regularly. But, it did not define what it actually means to “change” them. Since people thought their passwords were already secure with special characters, most only added one number or symbol.
NIST essentially forced everyone to use passwords that are hard for humans to remember but easy for computers to guess.
The solution
One cartoonist pointed out just how ridiculous NIST’s best practices were. He revealed that a password like “Tr0ub4dor&3” could be cracked in only three days while a password like “correcthorsebatterystaple” would take about 550 years.
Simply put, passwords should be longer. They also should include nonsensical phrases and English words that make it almost impossible for an automated system to make sense of.
Even better, you should enforce the following security solutions within your company:
- Multi-factor Authentication – which only grants access after you have successfully presented several pieces of evidence.
- Single Sign-On – which allows users to securely access multiple accounts with one set of credentials.
- Account Monitoring Tools – which recognize suspicious activity and lock out hackers.
When it comes to security, ignorance is the biggest threat. If you’d like to learn about what else you can do to fortify security, just give us a call.