February 20, 2020
|
Passwords protect the vast majority of a business’s sensitive information, from your CRM system to your email account. This means that without proper password requirements in place, you’re unnecessarily opening yourself up to a data breach. The Nation Institute of Standards Technology (NIST) has released new guidelines for 2020 based on the tactics used by cybercriminals. It’s important that everyone on your team understands and adheres to these current password guidelines. If your customers can create accounts on your website, it’s also necessary that you update those password requirements to protect your customer’s data. Here are the highlights from 2020’s password guidelines so you can improve the security of your business:
2020 NIST Password Guideline Updates
Special characters don’t necessarily make a strong password Requiring passwords to contain a mix of special characters, numbers, and upper case letters can backfire and result in weaker passwords. This is because people often just swap out letters for a similar looking special character or numeric symbol, which hackers have come to expect. It’s better to allow for the creation of longer passphrases (15-64 characters) to increase security. We recommend using a passphrase because it’s both long and highly unique to the person who creates it, making it harder to crack yet more memorable for the user.
Screen your passwords NIST now recommends screening your passwords against lists of commonly used or compromised passwords. You can find a variety of password dictionaries online, but make sure before you screen your password that the selected site is secure (always look for HTTPS in the domain) and doesn’t store your information. We recommend verifying the website through a third party review to ensure it’s trustworthy.
Don’t require employees to reset passwords more than necessary Requiring employees to frequently change their passwords can actually weaken password security. Multiple studies have shown that when people are required to regularly reset passwords, they tend to create weaker, more commonly used passwords. They also tend to record their passwords in highly vulnerable places such as on a sticky note at their desk or through their internet browser. (Read our blog post on why allowing your internet browser to remember your passwords is not such a good idea.) Instead, encourage the use of a unique passphrase for each account (see guideline below) and only require a new password once a year.
Don’t reuse passwords across accounts It’s never wise to put all your eggs in one basket or to secure all your accounts with one password. If that one password is cracked, it compromises not just one but all your accounts and all your personal data. Take the time to create long, unique passphrases and then store them in a secure password manager so if you do forget, you can easily remind yourself without putting your data at risk. See more on password managers below.
Additional Password Security Tips
Use a password manager Remembering passwords for all your accounts can be a nightmare if you don’t have a system in place. There’s nothing more frustrating than being locked out of an account or having to change a password for the umpteenth time. This is completely avoidable without resorting to insecure practices, like storing them in the notes on your smartphone or using your internet browser. Password managers provide a secure and highly organized way to store login info for all your accounts and share login info with team members. You can also access your password manager from any device and use it to generate random passwords which are the toughest to crack. We like Passportal for its smooth user interface and security. (Your account information is not only encrypted, Passportal can’t even decrypt the data you store with their service.) It also allows for your IT Managed Service Provider to have secure access to your accounts.
Use 2FA across accounts Two-factor authentication or 2FA adds an extra layer of security beyond a strong password. With 2FA, if your password is cracked the hacker still needs an additional piece of identifying information to gain access to your account. Learn more about the benefits of 2FA and how it works here.
Related posts:
How to Train Your Entire Team in Cybersecurity Are You Doing All You Can to Protect Your Customer Data? Why You Should No Longer Use Internet Explorer as Your Default Browser
Want to get more posts like these once a month in your inbox? Sign up for the Pagoda newsletter and sharpen your technical skills, from cybersecurity to digital marketing.
Want IT to serve you better?
–––––––––––––––––––––––––––––––––––––––––––––––––––––––––– About Pagoda Technologies IT services Based in Santa Cruz, California, Pagoda Technologies provides trusted IT support to businesses and IT departments throughout Silicon Valley, the San Francisco Bay Area and across the globe. To learn how Pagoda Technologies can help your business, email us at support@pagoda-tech.com to schedule a complimentary IT consultation. |
Return to Pagoda Blog Main Page |