Skip to content
"VC3 has made it easier than ever before for our local government to serve our citizens by providing us with modern web tools and a team
of talented and courteous professionals.
City of Valdosta, GA

Find All the Resources You Need

Our resources & insights includes case studies, client testimonials, guides, checklists, blog articles and more!

 

3 min read

NIST Guidelines Make Passwords Easier to Remember but Hard to Crack

The lock on your front door isn’t going to keep intruders out unless you make a habit of using it. The same is true for the digital locks on your data and IT systems. Strong passwords continue to provide a solid defense against hackers, but password management guidelines within the NIST Cyber Security Framework have changed.

Because the outcome of traditional password management policies created unforeseen bad habits that compromised security, the updated NIST guidelines have been created to make passwords easier for users to remember, and harder for hackers to crack.

NIST, the National Institute of Standards and Technology, initially created the Cyber Security Framework in 2014 for all US federal agencies to follow in order to protect critical infrastructure. While it is not a law, companies that are part of the government supply chain are now being required to verify their security practices through adoption of the Framework.

Whether or not you’re required to follow the NIST Framework, it’s a good idea to consider adopting these guidelines that will make password management easier for your employees to remember and use, and thus make your data more secure.

NIST Password Guidelines Updated in 2019

The reason why NIST updated password guidelines was because they recognized that the behavior that actually resulted from trying to follow traditional password management practices turned out to be less secure. For example, in order to meet requirements for password complexity, people were doing things like putting their passwords on sticky notes on their computers. Another bad habit that has become commonplace is reusing old passwords.

What’s Changed in the NIST Password Guidelines

Complexity Isn’t as Important

Not making passwords complex doesn’t mean making them easy. The new NIST password best practices don’t require the use of upper case and lower case letters, numbers, and special symbols. They do require that passwords are made up of a mix of characters and that they aren’t dictionary words, or common substitutions for letters that can be easily broken by automated hacking software, such as using $ for S and @ for the letter a.

Length is More Important

NIST guidelines recommend that passwords be a minimum of 8 characters, but they encourage longer passwords. Brute force attacks that try to guess every combination of characters in a password are more successful with shorter passwords than with longer passwords.

Changing Passwords Every 90 Days Optional

Another big change in the NIST password guidelines is removing the requirements to change passwords every 90 days. Now password changes should be initiated when a breach has been suspected but some security experts, including the VC3 team, still consider 90-day password changes an important practice for keeping accounts safe from intruders.

Memorable Passphrases Recommended

Passphrases that can be easily remembered are now recognized as being the best way to help your employees keep the doors to your data closed to intruders. Passphrases should be long, but shouldn’t contain personal information or obvious uses of letters and numbers in sequences or words. The best phrases contain uncommon words and can even include words in different languages.

A sentence passphrase is easy to remember but will be difficult for hackers to break if you create a rule to go with it. An example of a rule would be to just use the first two letters of each word, or don’t use the last letter of each word, etc. The use of punctuation will also add some complexity to the passphrase but still be easy to remember.

Example Passphrase

Here’s an example of a strong passphrase: coyDANwhiMASpotSITcol?

This passphrase comes from the nonsense sentence: Coyotes Dance While Mashed Potatoes Sit Cold

Two rules are applied:

1) Use only the first three letters of each word

2) Use all caps for every other word starting with the second word.

Punctuation is added at the end. You could also add a space or two to make the passphrase a little bit longer.

Don’t Rely on Passwords Alone

Combining password best practices with multi-factor authentication is an even better way to keep your data and systems safe from hackers. Multi-factor authentication requires that the user be identified not just with their password, but with another step in the process to determine – or authenticate – that they are who they say they are. 

Not Confident With How Your IT Team is Handling Security?

The level of expertise and knowledge that you need to keep your company safe from cyber criminals may very well be beyond the capability of your IT team. Contact us at 800-481-4369 to explore how outsourced security services can help you become confident in how you’re managing cyber risk.

Let's talk about how VC3 can help you AIM higher.