Aligning Your Password Policy Enforcement with NIST Guidelines
The National Institute of Standards and Technology (NIST) is an organization tasked with establishing cybersecurity standards and practices for the federal government and the private sector.
The guidelines set up by the NIST are the basis for many regulatory standards around the world. While it is not a legal requirement for most organizations to follow NIST cybersecurity policies, it is recommended. This is especially true when it comes to password protection and guidelines.
Dangers of Regular Password Updates
Many organizations follow NIST guidelines, but once they set up their practices, they never check for updates from NIST. NIST updates its policies and recommendations frequently, and as a result, it is crucial to keep an eye on them.
Notably, it was common practice to update your passwords regularly. However, that is no longer the recommended method of password protection. Regularly changing your password usually leads users to choose weaker passwords. As a result, they become more accessible for hackers to crack.
Another problem with regularly updating your password is that, over time, organizations have required employees to choose increasingly complex passwords. In theory, this leads to better-protected accounts, but it leads to other issues.
Notably, when users need to change complex passwords regularly, they have difficulty remembering them. As a result, they need to resort to things that make their passwords less secure, like writing them down.
The Ease of Cracking Passwords
A study conducted by the University of North Carolina at Chapel Hill confirmed that changing your password frequently does not consistently make your password harder to guess.
They took 10,000 former accounts from students and staff members and gave researchers four of the previous passwords associated with each account. Researchers then tried to guess the new password based on the use of transformations.
Researchers were able to crack the password 17% of the time. This study shows that regularly changing your password can be dangerous.
As a result, NIST has updated its guidelines to no longer recommend scheduled password changes. Instead, they recommend organizations screen passwords against a list of compromised passwords. If a password is not compromised, there is no reason to change it.
Get Help from GSec LLC
If you are struggling to stay updated with NIST policies and guidelines, do not hesitate to contact us. We can provide you with information on NIST so that you can better prepare for updates.
By: Alex O’Reilly