Key Points
- Password breaches are inevitable, but there are tried-and-true ways to protect users.
- Weak passwords are a security risk for your company and your users.
- Password authentication, creation, and management are integral to each other.
- Keeping your passwords secure depends on how well they’re stored.
Passwords – can’t live with them, can’t live without them.
It’s human nature to simplify things, especially when it comes to creating yet another new password. There’s no escaping it. Given that, how can you, as a business owner, protect your users’ passwords from security breaches?
The National Institute of Standards and Technology (NIST) can help you with that.
This organization develops password guidelines to improve the security of the passwords used by federal agencies. These policies are often referred to as the “gold standard” in password protection, and while they’re followed by state and local government agencies, it’s a good idea for all businesses to also follow them.
Several new security measures were added to the NIST password guidelines in 2020, and a few older ones were also updated as well. These updates can be found in the NIST’s Special Publication 800-63B.
To make these guidelines easier to understand, we’ve summarized them below.
How To Create A Strong Password
Although data security has become increasingly important, a large number of accounts remain vulnerable because of weak passwords. The fact is, no matter your field or what level of data protection your company has, weak passwords can compromise your company’s data security.
According to the NIST’s guidelines, your business’s password policy should incorporate the following.
Prioritize password length over complexity
A longer password is much harder to crack than a complex one. For greater password security, advise users to use passphrases, adjust the maximum password size to 64 characters, and encourage users to create longer passwords.
Reset passwords less frequently
Too many password changes can put your security at risk. Passwords should only be changed in the event or possibility of a breach.
There’s a fairly predictable pattern when it comes to creating a new password. People will typically add just one more character to their old password, making a new one that is almost identical to the previous one. It’s much less difficult for someone to crack a new password if they already know the old password.
Monitoring and Managing Passwords
Your system’s authentication process plays an important role when it comes to password creation and security. It can impact how users choose their passwords, their sense of trust in your website, and their overall impression of your organization.
The NIST’s recommendations for entering and verifying passwords are listed below.
Provide the option to display passwords
With the ability to view a password, a user can easily see if he or she has made a mistake or not and is more likely to enter a lengthy password correctly the first time. Users don’t have to enter their password multiple times before they get it right, saving them time and frustration.
Allow passwords to be copied and pasted
Users are more likely to create a longer password if it’s easy to enter. It doesn’t get any easier than copying and pasting!
All new passwords should be screened
Passwords should be checked against lists of commonly used and breached passwords. Aside from that, passwords shouldn’t be common words or common phrases, sequential series, or your company’s name or any variation of it.
Don’t give password hints
In order to help users remember their passwords, some websites have the option to answer a question or get a hint. Unfortunately, social media and phishing schemes have made it much simpler for hackers to find the answers to these security questions.
Set a limit on password attempts
Brute-force attacks (attacks based on guessing passwords repeatedly) are often used to breach accounts. An account that can be locked out after several unsuccessful login attempts is more likely to discourage hackers.
Protect accounts with multi-factor authentication
Ideally, you should have in place multi-factor authentication (MFA) or two-factor authentication (2FA). For this approach, users are required to provide additional information beyond their password. These additional verification factors can include a security question, facial recognition, or a code sent by SMS.
The advantage of this method is that, even if a password is stolen, an attacker cannot access an account without the missing credentials.
How To Store Passwords Safely
Your password storage method is one of the most crucial components of your business’ privacy and the way you store your passwords can determine how protected they will be. Moreover, in many cases, security attacks are not the result of poor passwords, but rather the result of inadequate or nonexistent authentication systems.
The NIST recommends these tips for storing passwords safely.
Limit access to your password management system
Not only is choosing a reliable password management system important, it’s also important to limit access to only a few trusted employees.
Encrypt passwords
Currently, the NIST recommends salting passwords with at least 32 bits of data and encrypting them with a one-way key derivation function.
To further enhance security, they recommend storing the salted password separate from the hashed password. This can help prevent brute-force attacks from working, even if someone’s hacked a password.
>
