NIST Updates Guidelines for Password Security Practices
/ 3 min read
Quick take - The article discusses the importance of password security in protecting personal data, highlighting risks from hacking techniques such as Account Takeover Attacks and the use of password combo lists, while outlining guidelines from the National Institute of Standards and Technology (NIST) for creating secure passwords and emphasizing the need for unique, complex passwords to mitigate these threats.
Fast Facts
- Internet account passwords are essential for protecting personal data but are at risk from hacking techniques like Account Takeover Attacks and password combo lists from data breaches.
- Unique passwords for different services are crucial, but they must also be complex and sufficiently long to prevent compromise.
- The National Institute of Standards and Technology (NIST) recommends a minimum password length of 8 characters, ideally 15 or more, and supports the use of all ASCII and Unicode characters for increased complexity.
- NIST advises against arbitrary complexity requirements, periodic password resets without evidence of compromise, and the use of password hints or easily guessable security questions.
- Tools from Constella Intelligence can help users manage password security by checking for compromised passwords and identifying vulnerabilities.
The Importance of Password Security
Internet account passwords are a fundamental component in protecting personal data, yet they face significant risks from various hacking techniques. One common method used by cybercriminals is Account Takeover Attacks, which enable unauthorized access to user accounts. This threat is heightened by the existence of password combo lists, which contain credentials obtained from previous data breaches, potentially exposing users’ passwords.
Best Practices for Password Creation
To counter these risks, it is crucial for individuals to use unique passwords for different services. However, even unique passwords can be compromised if they lack complexity or sufficient length. Hackers often use tactics such as permutations of exposed passwords or common password lists to successfully guess passwords.
The National Institute of Standards and Technology (NIST) has developed guidelines to enhance password security. NIST drafts password requirements and compiles them into published standards for organizations to adopt. Recent recommendations from NIST highlight several key points for creating secure passwords:
- A minimum password length of 8 characters is suggested, with a recommendation for a length of 15 characters or more.
- Passwords should be allowed to be up to 64 characters long to enhance security.
- The use of all printing ASCII characters, including the space character, is encouraged to increase password complexity.
- NIST advocates for the acceptance of Unicode characters to broaden the range of possible password combinations.
- Arbitrary complexity requirements, such as the mandatory inclusion of special characters, have been deemed unnecessary and should be eliminated.
- The practice of requiring periodic password resets should be halted unless there is clear evidence of a security compromise.
- Password hints should be discontinued, as they can benefit both users and potential hackers.
- Security questions intended for resetting forgotten passwords should be avoided, as they are often easily guessable.
- It is recommended to verify the entire password rather than just a truncated version to ensure maximum security.
Ongoing Vulnerabilities and Solutions
Despite these updated guidelines, passwords remain vulnerable to malware and hacking attempts. To assist users in managing their password security, Constella Intelligence provides tools designed to check for compromised passwords and identify vulnerabilities. As the landscape of cyber threats continues to evolve, adherence to best practices for password security is more important than ever.
Original Source: Read the Full Article Here
