Businesses depend on protecting confidential information to establish a reputation of dependability in the market and build trusting relationships with their customers and clients. However, lacking training and insight about password protection can prevent firms from optimizing their cybersecurity.
The Verizon Data Breach Investigations Report revealed that compromised passwords cause 81% of breaches via hacking. Most employees and individuals curate their credentials by choosing familiar passwords using personal information, such as birthdays, pet names, phone numbers, etc. Guessable passwords enable hackers to access confidential files easily.
However, technical issues are not the only factors that lead to a compromised password. Research shows that 98% of cyberattacks in 2021 were courtesy of social engineering, the psychological manipulation carried out to extract confidential information. Moreover, new employees at a firm are more at-risk for socially engineered cyberattacks, as 60% of IT experts deem recruits to be a vulnerability in data protection.
Cyberattacks and data breaches can significantly affect a company’s operations. Often, businesses have to spend a large sum of money to recover confidential data following a breach. Other financial damages include the loss of potential income, delayed operations, and penalty charges for compromising customer data.
In addition to financial loss, firms also suffer reputational damage, resulting in the loss of sales by driving existing and new customers away. Moreover, companies with negative reputations can also become unattractive to new candidates, making it more difficult for businesses to recruit new talent.
To avoid reputational and financial loss, businesses must set advanced security measures, such as setting strong password guidelines to ensure data protection. The National Institute of Standards and Technology (NIST) has developed several password guidelines to increase cybersecurity drastically. Although NIST developed these guidelines for federal agencies, private businesses and enterprises can also use these strategies to maximize their online security.
This guide will give you a general overview of the NIST password guidelines to take your business’s security to the next level.
NIST Password Guidelines
The National Institute of Standards and Technology (NIST) created a set of guidelines to set robust passwords that are easy to use and difficult to guess. The institution carries out regular research and makes subsequent updates to ensure the password-setting criteria hold the ability to combat new and sophisticated hacking and data breaching techniques. NIST initially published the guidelines in 2017 but later updated the document in 2020.
The NIST guidelines emphasize several factors, including password quality, social behavior, authentication, implementation, storage, and updating of passwords. Let’s look at a few password security standards laid down by NIST:
Turn On the ‘Show Password’ Settings
Contrary to popular belief, NIST encourages employees to turn on the ‘show password’ setting when typing in their password. As the user’s password is entered, the likelihood of another individual copying the password is very low. However, making an error in typing the password and assuming the password is incorrect can compel the employee to move forward with the password reset process. In doing so, the individual can trigger the likelihood of potential data exposure. Therefore, removing the password hashes and turning on ‘show password’ when entering a password is beneficial to password security.
Make Use Of Password Managers
The NIST password guidelines 2020 encourage companies to leverage password managers to assist employees and stakeholders in generating robust passwords using encryption technologies. By taking this initiative, businesses can eliminate the chances of human error. Additionally, organizations that provide their teams with access to a password manager can permit the automated generation of long, strong, complex passwords and passphrases that are difficult to crack and go beyond existing complexity requirements.
Integrate Security in Password Storage Methods
The NIST standards for passwords also recommend that organizations immediately remove outdated user-generated passwords from the server. This initiative uses a zero-knowledge password protocol or zeroization. The NIST guidelines further urge organizations to use hashing or salting strategies for stored passwords. Hashing refers to how the command maps the arbitrary-length bit string to a fixed-length bit string.
Organizations implementing the hashing strategy can store password data while protecting the password database from potential hackers. Instead, the hacking attempt would provide the hackers with a list of hashes that take longer to crack and grant organizations more time to recover or take preventative measures.
On the other hand, salting refers to the technique in which a unique marker is assigned to each password. Therefore, even if two employees use the same common password, different hashes are appointed to each password.
Assign Two-Factor or Multiple-Factor Authentication
It’s possible to amplify password protection with a two-factor or multi-factor authentication (MFA) system. This approach requires the employees to enter their password and pass a security test to log into their accounts. The security test can include multiple identification approaches, biometrics, facial recognition, or email confirmation. The NIST guidelines support this authentication tactic, which can significantly increase password security. Unfortunately, the guidelines do not specify approved MFA sources.
However, NIST has debarred the use of SMS messages for two-factor authentication. The updated guidelines state that sending SMS messages is risky since the message content could be intercepted or redirected, thereby paving the way for unauthorized access. Although, if a business uses SMS messages for their two-factor authentication procedures, they must certify that the user connects their phone number to a mobile network instead of a VoIP service.
Avoid Frequent Password Changes
The 2020 NIST guidelines further urge users to avoid changing their passwords periodically. The guidelines encourage users only to change their password frequently if the credentials are compromised or for a user request. Moreover, the guidelines also highlight some password creation practices.
According to NIST, users must create passwords that they can easily remember. The password length can vary, featuring at least 64 characters. Additionally, the passwords can use any characters that facilitate memorization, such as spaces. The guidelines discourage using special characters as they can alter the commitment to memory.
How Passwords Affect Risk Management
Password complexity can directly affect the digital security of the organization. Organizations that use simplified passwords or use the same password for multiple accounts are at a high risk of data breaches, identity theft, or financial theft.
Growing businesses must set cogent passwords that protect the organization. Essentially, companies that rely on interconnected applications and software programs, like emails, cloud storage, and SaaS facilities, must take password protection seriously. Every application your employees use can risk your business’s cybersecurity, especially if the employees set common or weak passwords.
Password breaches have become relatively common in recent years. Research shows that human error causes most password breaches, including setting a weak password, frequently changing passwords, sharing credentials, and using inadequate methods for storing passwords.
Businesses must take comprehensive measures to follow the NIST password guidelines. It is vital to stay informed about the updated password recommendations and create a system to abide by these procedures. Companies can also carry out comprehensive training sessions to ensure their teams know the steps they need to take to optimize security in their operations. Moreover, companies can leverage password managers and integrate encryption techniques to certify increased security.
In addition, businesses must also take a proactive approach to identify compromised passwords and upgrade their servers to ensure their system remains guarded in case of an attack. Large-scale organizations should use an automated system.
A large majority of data breaches take place due to compromised passwords. Most individuals create weak and predictable passwords that are easy to remember. Sophisticated tools enable unauthorized individuals to access employee accounts and leak, damage, or sell confidential information.
Data breaches can cost the company financial and reputational damage. Therefore, it is pertinent for businesses to create reliable, robust passwords that are safe and difficult to crack. The NIST guidelines can assist companies in meeting this objective. Companies can stay informed on the updated recommendations and train their teams to securely create and protect their passwords. To learn more about digital identity guidelines, read the NIST password guidelines for 2022. In addition, businesses can also leverage the CyberStrong Platform to optimize their cybersecurity.
CyberStrong is a real-time risk management system that carries out comprehensive risk quantification, provides intuitive workflows and creates reports to construct cyber-attack resilience using a methodological and systematic approach. For more information on how to safeguard your large or small business, contact us.