Passwords – updated guidelines from NIST

  • SSS – Sales
  • Nov 8, 2018

Passwords are the most frequently compromised control used by attackers to gain access to your systems. CERT NZ’s quarterly report highlights credential harvesting and unauthorised access as two of the top three causes of cyber incidents.

As is often highlighted in media reports, it can take months and sometimes years for an organisation to realise that they have suffered a breach. America’s National Institute of Standards and Technology (NIST) created new password management guidelines which CERT NZ has summarised for easy reference. These guidelines include the following:

  • Don’t ask your staff to change their passwords regularly. Asking your staff to change their passwords regularly often results in them choosing weak and predictable passwords. 
  • Don’t set rules about how to compose passwords. This also results in people using predictable methods to meet password requirements and on top of that can make these passwords harder to remember. 
  • Don’t use security questions and answers as an authenticator. This sort of information is often freely available online. It is recommended to use two-factor authentication instead.
  • Don’t let your staff set common passwords such as Password! or Welcome1. Configure your systems to only accept long and strong passwords. In addition, use a password manager so that your staff only have to remember a single set of login details.

CERT NZ put together a useful guide on how your staff can create good passwords and why it is important. Some of their general guidelines include the following:

  • Passwords should be unique and not used for more than one account. 
  • Passwords should be long and strong – passphrases are often better than a password and can be easier to remember.
  • Never use personal information such as your pet’s name as this information is very easy to find online.
  • Be kept safe. Encourage your staff to use a password manager to store their passwords in.

While there are a number of important things you can do to protect and secure your organisation’s systems, the one area that often doesn’t receive as much attention, is educating staff and providing them with a good understanding of cybersecurity, including how to choose strong passwords. This should be an important component in your IT security initiatives.