Password Guidelines for Modern Cybersecurity

All too often these days, we hear about internet fraud and security breaches. High-profile cyberattacks have been a hot news topic in recent years. As a result, the National Institute of Standards and Technology (NIST) released its first Cybersecurity Framework in 2014. Now in its 5^th year anniversary and recently updated, the framework outlines recommendations for organizations to improve their cybersecurity measures. We’ll cover some key takeaways from the NIST guidelines that you can put in place today, including some common practices to ‘let go of’ and resources for creating secure passwords and a safer workplace.

Outdated Rules to Let Go Of

Forced Password Updates
Years ago, the prevailing idea said the more often you change passwords, the less likely you are to get hacked. Recent studies have shown that password change policies do not ward off attacks. Why? Forcing people to change too frequently results in weaker, easier-to-remember passwords, or passwords scrawled on sticky notes in plain sight. With an easy in, a hacker can track your actions, gaining more and more information about you until you change the password. By then, they may have learned enough about you to predict your next password.

The NIST password guidelines recommend eliminating forced, periodic password changes. For email or bank accounts that would leave you extremely vulnerable if hacked, it probably makes sense to update passwords often. But changing all your passwords every 3 months is counterproductive. Follow best practices for creating passwords. Then change them when necessary, such as if there is a breach, if you suspect phishing, or if you need to reset a forgotten password.

Company-Specific Password Creation Rules
In the past, many companies implemented certain composition rules for creating passwords. This was another practice that ended up creating more risk, not less. Employees created easier-to-remember passwords and memorized hints to adhere to company-specific rules. Password hints for employees inevitably become password hints for hackers. The NIST password guidelines recommend that companies no longer enforce password composition rules.

7 Rules for Secure Passwords 

A cyberattack isn’t inevitable. You can limit your exposure with such simple measures as choosing better passwords. Here are 7 best practices:

1. Get away from the ‘norm’.  With the intent of better security, most websites now require passwords with certain combinations of uppercase and lowercase letters, numbers and special characters. The problem is that hackers study the predictable patterns. For example, if you’re required to include a number in your password, where are you likely to put it? At the beginning or end, of course. The most likely numbers to use? Obviously 0 or 1. The norm for symbols? One of these – !, #, $, %, or & – predictably tucked in after the number. A password that doesn’t follow the norms is not as vulnerable to hackers’ programs and algorithms.
2. When creating a password, the longer the better. Passwords with at least 12-14 characters are much harder to crack. But don’t forget to stay away from what is ‘common’. When coming up with a longer password, many make the mistake of choosing a common phrase or string of words that makes sense to them. This will still be easy to hack.
3. Never ever use the automatic login feature. Many websites offer to keep you signed in by storing your password and automatically logging you in each time you visit. This feature makes it that much more likely that your password will get hacked. Don’t trade convenience for security.
4. Avoid using your email for your username. Taking steps to protect passwords is vital, but usernames are also important. Linking an email address to your accounts makes you more vulnerable to attacks. Hackers can trace an email address to social media sites, bank accounts and other accounts to learn how to target you personally.
5. Use a different password for every site. You’ve heard it before, because it’s true. Resist the temptation to re-use the same password over multiple sites. That way, even if one site is hacked and your password is exposed, you haven’t put all of your accounts at risk.
6. Use multi-factor authentication at every opportunity. Programs such as Office 365 and Google offer multi-factor authentication to help protect accounts. This is a great feature, so make sure to use it any time it is available. It usually involves an extra step of a text or email with a verification code. The user then enters that code after entering their password. Even if someone got access to your password, they would be unable to complete the authentication process and access your account.
7. Educate your employees. Phishing involves targeting specific individuals with advanced methods. It has become one of the most effective and damaging ways for hackers to access an organization’s data. An employee can click on a seemingly legitimate link, and within seconds, unknowingly release the company’s entire database to a hacker. Make sure your employees are properly trained in basics such as never click on a link in an email to change your password, and always use multi-factor authentication.

Hire a Bodyguard: Get a Password Manager

Why do so many people fail to follow best practices for passwords? They try to rely on their memories for passwords, or use antiquated ways of keeping track of them. Password manager applications safely store passwords for easy access across multiple devices. They also help generate much more secure passwords than the ones employees come up with on their own.

One of the smartest cybersecurity moves you can make is getting a password manager. Zoho Vault, LastPass, KeePass and 1Password are popular options to consider.

Wrapping Up

Even as cyberthreats continue to evolve, you can protect your business from attacks. Three actions you can take immediately are:

• Start with simple education for your employees. (Never click on a link in an email to change your password, and always use multi-factor authentication.)
• Stop requiring password changes and composition rules and start encouraging unique passwords.
• Purchase and implement a Password Manager.

Once you’ve tackled password guidelines for your company, its time to quantify your risk and make a plan.

More Resources:

What a Business Should Do After a Data Breach

Who is Responsible for Law Firm Security Breaches?

Data Breach vs. Cyber Liability Insurance: Is there a Difference?

Cyber Liability Self-Assessment