October is Cybersecurity Month, the perfect time for businesses to reassess their security practices, especially when it comes to passwords. The National Institute of Standards and Technology (NIST) recently updated its password guidelines, and these new recommendations mark a significant shift in how we think about passwords.
Goodbye, Complex Passwords: Hello, Longer Passphrases
In the past, NIST and cybersecurity authorities recommended passwords that mixed upper and lower-case letters, numbers, and special characters. However, this led to complex passwords users found difficult to remember. Users reacted by adopting the unsafe “password123!” or hiding sticky notes with their password written on it under keyboards. NIST’s new guidelines shift the focus to longer passphrases rather than complicated combinations.
What does this mean?
- Encourage longer passwords: NIST now suggests a minimum length of 8 characters for general users and 12-16 characters for system administrators.
- Use passphrases: Instead of complex strings of characters, a long passphrase can be easier to remember and still provide strong security. For example, “OceanSunsetBreeze” can be easier to recall than “Xk9!s8zY”.
Longer passwords create a more robust barrier against brute-force attacks, as each additional character significantly increases the time it takes for hackers to crack a password. This shift means your employees can focus on creating passwords they’ll actually remember without sacrificing security.
No More Mandatory Password Changes—But Stay Vigilant
Another major change in NIST’s recommendations is the reduced emphasis on frequent password changes. Previously, many organizations required employees to change their passwords every 60-90 days, which often led to weak and predictable passwords. The updated guidelines now suggest mandatory password changes are only necessary if there is evidence of a security breach or if the password is known to have been compromised.
What does this mean?
- Reduce password fatigue: Instead of forcing employees to update their passwords frequently, businesses can focus on monitoring for suspicious activity and only require password changes when necessary.
- Maintain vigilance: This does not mean passwords can be left unchanged indefinitely. Businesses should remain alert to potential threats and encourage employees to change passwords if they suspect any compromise.
By eliminating unnecessary password resets, you can reduce the frustration and inconvenience for your team while still keeping your systems secure.
Implementing These Changes in Your Business
For small and mid-sized businesses, adjusting your password policies to align with NIST’s new recommendations can improve security while also boosting productivity. Here’s how you can put these guidelines into action:
- Educate your team: Make sure your employees understand the importance of creating long passphrases and the reasons behind the changes to password policies.
- Use a password manager: Password managers can help employees generate and store longer passwords without the need to remember each one. This can further enhance your security.
- Enable multi-factor authentication (MFA): Even with stronger passwords, MFA adds an additional layer of security, making it much harder for attackers to gain unauthorized access to your systems.
Strengthen Your Security During Cybersecurity Month
October is a great time to review your cybersecurity practices, and updating your password policies is a simple but effective way to enhance your defenses. By adopting NIST’s new recommendations, your business can reduce the risks associated with weak passwords and make life easier for your team.
As a managed services provider, we’re here to help you navigate these changes and implement best practices to keep your business safe. If you’d like to learn more about NIST’s new guidelines or discuss a comprehensive cybersecurity plan for your organization, don’t hesitate to contact us.
Comments are closed for this post.