5 Password Protection Fallacies

Cybersecurity Awareness Month Series [PART 1]: 5 Password Protection Fallacies

View Part 2 here: Data Compliance in a Digital Era

View Part 3 here: What is 'Privacy by Design' and Why Does it Matter?

View Part 4 here: 3 Tips to Build Consumer Trust on Data Security

The National Institute of Standards and Technology (NIST) has recently updated certain password guidelines that were previously thought to improve security.[1] These new recommendations aim to reduce vulnerabilities that result from the enforcing of certain password requirements.

According to NIST, the following security protections are no longer considered necessary when establishing your employees’ or accountholders’ password requirements:

 

Password Protection Fallacy #1: Require Special Characters in Passwords

NIST now suggests companies eliminate special character requirements, stating the following regarding the adverse effect these rules can have: “Users respond in very predictable ways to the requirements imposed by composition rules. For example, a user that might have chosen ‘password’ as their password would be relatively likely to choose ‘Password1’ if required to include an uppercase letter and a number, or ‘Password1!’ if a symbol is also required.”

NIST also now recommends allowing any character to be incorporated into passwords, versus eliminating the use of certain ones (e.g. spaces and dashes).

 

Password Protection Fallacy #2: Don’t Allow the Copying and Pasting of Passwords

According to the new guidelines, there is negligible risk in allowing pasting of characters into password login fields.

 

Password Protection Fallacy #3: Require that Passwords be Changed on a Regular Basis

According to NIST: “Users tend to choose weaker memorized secrets when they know that they will have to change them in the near future… They often select a secret that is similar to their old memorized secret by applying a set of common transformations such as increasing a number in the password. This practice provides a false sense of security if any of the previous secrets have been compromised since attackers can apply these same common transformations.”

Download our White Paper: Risk Checklist: Password Security for Account Holders” to learn about other password protection best practices to enforce for your employees and accountholders.

 

Password Protection Fallacy #4: Put a Cap on the Number of Characters

NIST recommends that password fields now allow for at least 64 additional characters on top of the required eight, so that more might adopt the use of longer, more complex pass phrases, which can add an additional layer of security.

 

Password Protection Fallacy #5: Substitute Passwords with Password-less Options

Even though password-less security features like biometric logins (e.g. face or thumbprint recognition) exist for many apps and devices, it is smart to still require passwords as an added layer of security. 

It is important to adopt the latest password and data protection recommendations to reduce fraud and security risks to your organization, employees, and consumers. Visit the “Allied Trust Center” to learn more about what we are doing to protect or clients, vendors, and employees.

Allied Trust Center Infographic listing four key words associated. The first is security with a background image of a lock. The second is compliance with a background image of a document. The third is privacy with a background image of a laptop. The forth is reliability with a background image of shaking hands. At the bottom of the infographic is a button with text reading, Learn More.

 

Stay Informed on Resources from Allied Solutions: Join our e-newsletter list!

 

[1] NIST Special Publication 800-63B

You Might Enjoy Reading

January 04, 2023 | Allied Insights
Round Up: Hot Topics Every FI Should Know
Read More
October 18, 2022 | Allied Insights
Is Crypto a Bust with Zero Trust?
Read More
April 04, 2023 | Allied Insights
Piecing Together the Digital Evolution Puzzle
Read More