How to create a secure password policy

In today’s digital age, password security has become more important than ever. With the increasing number of data breaches and cyber attacks, it’s essential to have a strong and secure password policy in place to protect your organization’s sensitive information.

The National Institute of Standards and Technology (NIST) has recently updated its guidance on password management, dispelling some common myths and providing new recommendations for creating a secure password policy. In this article, we’ll explore the latest NIST guidance and provide practical tips for creating a secure password policy that works for your organization.

Myth #1: Passwords need to be changed frequently

One of the most significant changes in the latest NIST guidance is the recommendation to eliminate password expiration policies that require users to change their passwords every 60 or 90 days. This approach was initially introduced to prevent unauthorized access to accounts, but it has been found to be counterproductive.

Forcing users to change their passwords frequently can lead to weaker passwords, as users may resort to using easily guessable patterns or repetitive combinations to remember their passwords. Moreover, frequent password changes can lead to user frustration and decreased productivity.

Instead, NIST recommends that passwords only be changed when there is a legitimate reason to do so, such as when a user suspects that their password has been compromised or when a security breach occurs.

Myth #2: Complexity is king

Another common myth is that passwords need to be complex and include a mix of characters, numbers, and special symbols to be secure. However, research has shown that complexity can actually decrease the security of a password.

NIST now recommends using simple, easy-to-remember passwords that are at least 12 characters long. This approach is based on the idea that longer passwords are more resistant to brute-force attacks, which are attempts to guess a password by trying all possible combinations of characters.

In fact, NIST suggests that using three random words is a better approach than using a complex password. This method, known as the “three-word method,” involves selecting three random words and combining them into a single password. For example, “p@ssw0rd” could become “sunflower coffee cake.”

Tips for creating a secure password policy

Now that we’ve dispelled some common myths about passwords, let’s look at some practical tips for creating a secure password policy:

1. Use a password manager: A password manager is a software program that securely stores and manages all of your passwords. By using a password manager, you only need to remember one master password, which can be strong and unique. This approach helps to alleviate the burden of remembering multiple passwords and reduces the risk of weak or duplicate passwords.
2. Use multi-factor authentication: Multi-factor authentication (MFA) adds an extra layer of security by requiring users to provide additional verification beyond their password. MFA can include biometric data, such as a fingerprint or facial recognition, or a one-time code sent to a mobile device.
3. Implement account lockout policies: To prevent brute-force attacks, implement account lockout policies that temporarily lock out users who fail to log in after a specified number of attempts. This approach helps to prevent hackers from repeatedly trying different passwords.
4. Use password filtering: Password filtering is a technique that checks passwords against a list of known weak or compromised passwords. By using password filtering, you can ensure that your users are not using easily guessable passwords.
5. Train your users: Finally, train your users on good password hygiene practices, such as avoiding common patterns, using unique passwords for each account, and not sharing their passwords with anyone. Provide clear guidance on your organization’s password policy and encourage users to take ownership of their password security.

Conclusion

Creating a secure password policy doesn’t have to be complicated. By following the latest NIST guidance and implementing practical measures such as password managers, multi-factor authentication, account lockout policies, password filtering, and user training, you can protect your organization’s sensitive information from cyber threats. Remember, passwords don’t need to be changed frequently, and simplicity is often better than complexity when it comes to creating a secure password.