Rather than you read the 35,000 word document, I thought you’d appreciate our summary of the latest NIST password best practice guidance.  It’s arguably overdue given the NCSC updated password guidance in late 2018, however there’s some valuable take aways to share.

User credentials are often considered the crown jewels for attackers. Passwords remain the most common form of authentication, and we depend on organisations like NIST, NSCS, ENISA and ISO for guidance on safeguarding against credential compromise. NIST’s updated password guidelines are eliminating outdated practices, making passwords stronger and easier to manage. This reduces user fatigue and ultimately lowers the risk of compromise.

So, what are the changes?

• Time to ditch the resets!: Regularly changing passwords can weaken security by encouraging simpler more guessable passwords. NIST recommends to only reset passwords if there is evidence of a security breach.
• Less rules, more length: Organisations are not required to implement rules that mandate a combination of character types, as long as the passwords are sufficiently long and random. NIST recommend a minimum length of 15 characters, which can be met by using a sequence of words.
• Security questions are cancelled!: Knowledge-based authentication methods should no longer be used, as they are often insecure and easy to obtain using social engineering. NIST recommends using MFA to reduce the risk of unauthorised access.

The change in requirements will benefit both organisations and users, although countermeasures are still required to ensure the crown jewels are protected.  IT and security teams must ensure that the people, policies, and technologies within their organisation are strengthening their efforts to achieve robust identity security.

Figuring out how to approach password management can be challenging, but these key questions can help you determine where to begin.

1. Are your users aware of how to create secure passwords and report breaches?
2. How are your users storing their passwords?
3. How will you know if user credentials have been compromised?
4. How are you monitoring if your users are using weak or repeated passwords?

As a minimum, IT and security teams should be thinking about the following security solutions to assist with the key questions above:

1. User Education: Employees are your first line of defence, so it’s important for them to understand the affects bad password hygiene can have on the wider company. Regular and targeted security awareness can reduce the risk of user compromise, data breaches and other malicious activities.
2. Password Managers: Give employees a safe place to store and access their passwords. Password Managers also allow IT and security teams to monitor for weak or reused passwords and compromised websites.
3. Identity Threat Detection and Response (ITDR): Leverages AI to establish a baseline for typical user behaviour to identify anomalies, stop lateral movement and dynamically enforce MFA. This approach enables you to identify, reduce and respond to identity-based attacks.

If you would like to learn more about how to align your organisation with best practices, feel free to reach out to a member of our team.