Blog
How To Implement 2022 NIST Password Updates into Your Policy – Updated for 2023
With the increasing number of cyberattacks, it is more important than ever to have up-to-date password policies in place for your business. The National Institute of Standards and Technology (NIST) has released new guidelines for passwords, and we are here to help you implement them into your existing policy. In this blog post, we will discuss the updates made by NIST and how you can apply them to your organization.
Enable Multi-Factor Authentication
One of the most important updates made by NIST is the recommendation to enable multi-factor authentication (MFA) for all users. MFA adds an extra layer of security to your login process and makes it more difficult for attackers to gain access to your systems. There are many different types of MFA, so you can choose the one that best suits your organization. Some common options include:
- Text messages/phone calls with one-time passwords
- One-time codes generated by an app
- Fingerprint scanning
Require Strong Passwords
Another important update from NIST is the recommendation to require strong passwords for all users. A strong password is one that is difficult to guess and is not easily cracked. You can enforce strong password requirements by setting a minimum length for passwords, requiring special characters, and disallowing dictionary words.
Don’t Make Mandatory Password Changes
One of the most commonly-used password policies is to require users to change their passwords on a regular basis. However, NIST has now recommended that this practice be discontinued. This is because regularly changing passwords can actually lead to weaker passwords and make it more difficult for users to remember their login information.
Limit Password Attempts
Another way to help protect your systems from attackers is to limit the number of times a user can attempt to enter their password. This will prevent brute force attacks from succeeding and will lock out users who enter the wrong information too many times.
Limiting password attempts keeps your accounts secure because it keeps attackers from guessing until they get the right one. You can easily access your accounts by using a password manager so that you don’t accidentally lock yourself out by typing your password incorrectly.
Salt and Hash Your Passwords
One of the best ways to protect your passwords is to salt and hash them. This means that you add a random string of text (the salt) to each password before hashing it. This makes it more difficult for attackers to crack your passwords, as they will not know the salt used in the hashing process.
You can easily salt and hash your passwords by using a password management tool. This will protect your passwords and make it easier for you to login to your accounts.
Use Long Passwords Over Complex Ones
While it is important to use strong passwords, you don’t need to make them too complex. In fact, using long passwords that are easy to remember is a better option than using complicated ones. You can create long passwords by combining multiple words into one phrase. For example, “I love cats and dogs” could be turned into “ilovecatsanddogs”.
Make sure to use different passwords for each of your accounts and never share them with anyone. This will help keep your data safe and secure.
Remove Password Hints and Knowledge-Based Authentication (KBA)
Knowledge-based authentication, also known by its acronym KBA, is an authentication method based on a series of knowledge questions that are used to verify a person’s identity in order to prevent access of an unauthorized person to an account. An example of a knowledge-based authentication question is “The name of your elementary school”. NIST password guidelines recommend removing all knowledge-based authentication questions and instead, it’s recommended to have users confirm their identity and reset their password using MFA or 2FA.
Conclusion
The NIST updates provide a number of best practices for strengthening your password policies. Make sure to enable MFA, require strong passwords, and salt and hash your passwords. You can also use long passwords that are easy to remember. These steps will help keep your data safe and secure.
To learn more about increasing your cybersecurity, reach out to our team of IT professionals at Envision today and schedule your initial consultation.