In a digital landscape filled with potential threats, your online security hinges on the strength of your passwords. October is Cybersecurity Awareness Month, making it the perfect time to revisit your password practices and bolster your digital defences. The National Institute of Standards and Technology (NIST), a renowned authority in cybersecurity, offers a comprehensive framework for password security that is pivotal for safeguarding both organisational data and your personal online presence.
The Significance of Strong Passwords
Before we delve into the specifics of NIST’s guidelines, let’s underline the crucial role strong passwords play in the realm of cybersecurity. Passwords are your initial line of defence against unauthorised access to your accounts, personal information, and sensitive data. Weak passwords are like open doors inviting cybercriminals in, while strong passwords act as the locks that keep them out.
NIST’s Password Guidelines for Consumers
NIST’s Special Publication 800-63B, known as the “Digital Identity Guidelines,” furnishes a robust set of recommendations for creating and maintaining secure passwords. Here’s how you can implement these guidelines to fortify your personal online security:
1. Passphrases Over Passwords
NIST emphasises the use of passphrases over conventional passwords. Passphrases, composed of multiple words or a sentence, are longer and easier to remember. For instance, “CoffeeLover$MakeGreatMornings!” is a strong passphrase that is not only secure but also user-friendly.
2. Longer is Better
NIST suggests a minimum password length of 12 characters. Longer passwords offer enhanced security, as they present a more formidable challenge to attackers attempting to crack them. To boost complexity, incorporate a mix of uppercase and lowercase letters, numbers, and special characters. The concept a passphrase comes into its own when combined with this suggestion. Using your favourite sentence from a book can be a great start to a strong password.
3. Avoid Common Words and Patterns
Steer clear of easily guessable passwords. NIST recommends avoiding common words, phrases, and patterns like “123456,” “password,” or “qwerty,” as they are susceptible to dictionary attacks.
This advice from NIST also applies to things like your company name, birthday, names of family members etc.
4. Regular Password Updates
NIST no longer endorses frequent password changes, which can lead to weaker passwords due to predictable patterns (e.g., “password1,” “password2,” and so on). Instead, change your password only when there is a known compromise or if you suspect unauthorised access.
While I admit, this is the most contentious piece of advice in this article, I stand by it. If you have a sufficiently long and complex password, there is no requirement to change the password. Password strength checkers estimate the above password “CoffeeLover$MakeGreatMornings!” would take 13 centuries to crack. A string of 19 random characters with a mix of lower case, upper case, numbers and symbols would take 2 thousand trillion years.
Microsoft Edge, Google Chrome, and Mozilla Firefox all have functionality built into their password managers to alert you to compromised passwords, as do the major password managers on the market.
5. Embrace Multi-Factor Authentication (MFA)
Implementing MFA is strongly encouraged. It adds an additional layer of security by requiring something you know (your password) and something you have (e.g., a mobile app or a hardware token) to access your accounts. Most major services will offer some form of MFA for accounts. And if they don’t, you should strongly consider whether you need to use the service and what kind of data of yours they are storing.
Why is NIST guidance relevant to me?
NIST’s password security guidelines hold crucial significance, not only for organisations, but also for individual consumers, for several compelling reasons:
1. Expertise and Credibility
NIST is a highly respected and authoritative institution in the realm of technology and cybersecurity. Their recommendations are developed by experts who continuously analyse and adapt to the ever-evolving threat landscape.
2. Real-World Testing
NIST’s guidelines are grounded in real-world security testing and research, stemming from a profound understanding of how cyberattacks occur and how to effectively counter them.
3. Ongoing Updates
NIST’s willingness to adapt its guidelines to changing circumstances ensures that their recommendations remain pertinent and effective in the face of emerging threats.
4. Wide Applicability
NIST guidelines aren’t just reserved for government agencies; they are widely used by organisations and individuals around the world. This broad acceptance underscores their practicality and effectiveness.
5. Personal Cyber Resilience
By adhering to NIST’s recommendations, you can significantly bolster your personal cybersecurity stance and enhance your resilience against emerging threats. NIST’s focus on secure, user-friendly practices, such as using passphrases and implementing MFA, positions it as a valuable benchmark for achieving cyber resilience as a consumer.
In conclusion, NIST’s recommendations for password security provide a robust framework to strengthen your personal defences against the ever-evolving digital threat landscape. By adopting the latest guidance outlined in the Special Publication 800-63B, you can fortify your digital identity and maintain cyber resilience. Remember, your password is your first line of defence and NIST’s guidelines set the standard for building a secure fortress in the digital age.
If you are concerned about creating complex passwords you can remember even with the above advice, you may want to look into passwords managers. They all come with various security features and at different price points, but you are guaranteed to find one that meets your needs.