Cybersecurity Awareness Month Series [PART 1]: 5 Password Protection Fallacies
View Part 2 here: Data Compliance in a Digital Era
View Part 3 here: What is 'Privacy by Design' and Why Does it Matter?
View Part 4 here: 3 Tips to Build Consumer Trust on Data Security
The National Institute of Standards and Technology (NIST) has recently updated certain password guidelines that were previously thought to improve security.[1] These new recommendations aim to reduce vulnerabilities that result from the enforcing of certain password requirements.
According to NIST, the following security protections are no longer considered necessary when establishing your employees’ or accountholders’ password requirements:
Password Protection Fallacy #1: Require Special Characters in Passwords
NIST now suggests companies eliminate special character requirements, stating the following regarding the adverse effect these rules can have: “Users respond in very predictable ways to the requirements imposed by composition rules. For example, a user that might have chosen ‘password’ as their password would be relatively likely to choose ‘Password1’ if required to include an uppercase letter and a number, or ‘Password1!’ if a symbol is also required.”
NIST also now recommends allowing any character to be incorporated into passwords, versus eliminating the use of certain ones (e.g. spaces and dashes).
Password Protection Fallacy #2: Don’t Allow the Copying and Pasting of Passwords
According to the new guidelines, there is negligible risk in allowing pasting of characters into password login fields.
Password Protection Fallacy #3: Require that Passwords be Changed on a Regular Basis
According to NIST: “Users tend to choose weaker memorized secrets when they know that they will have to change them in the near future… They often select a secret that is similar to their old memorized secret by applying a set of common transformations such as increasing a number in the password. This practice provides a false sense of security if any of the previous secrets have been compromised since attackers can apply these same common transformations.”
Download our White Paper: “Risk Checklist: Password Security for Account Holders” to learn about other password protection best practices to enforce for your employees and accountholders.
Password Protection Fallacy #4: Put a Cap on the Number of Characters
NIST recommends that password fields now allow for at least 64 additional characters on top of the required eight, so that more might adopt the use of longer, more complex pass phrases, which can add an additional layer of security.
Password Protection Fallacy #5: Substitute Passwords with Password-less Options
Even though password-less security features like biometric logins (e.g. face or thumbprint recognition) exist for many apps and devices, it is smart to still require passwords as an added layer of security.
It is important to adopt the latest password and data protection recommendations to reduce fraud and security risks to your organization, employees, and consumers. Visit the “Allied Trust Center” to learn more about what we are doing to protect or clients, vendors, and employees.
Stay Informed on Resources from Allied Solutions: Join our e-newsletter list!