Every couple of years, the National Institute of Standards and Technology (NIST) issues their own guidelines and recommendations regarding password security. The NIST is a non-regulatory federal agency, and their password guidelines are not mandatory to follow, but they are generally considered to be a reasonable standard for password security around the entire globe. However, some security and cyber liability insurance experts argue that even the most “secure” passwords are no match for today’s cyber threats. Let’s take a look at the most recent NIST password guidelines and well as some security recommendations that don’t involve passwords at all.
The NIST recommends:
- Removing periodic password change requirements. Multiple studies have been released that show that the requirement of frequent password changes can actually be counterproductive to good password security.
- Stop with arbitrary password complexity requirements. Just like with frequent password changes, the need for mixtures of upper case letters, symbols and numbers may not be any more secure than a simple password.
- Require screening of new passwords against lists of commonly used or compromised passwords. This is an interesting suggestion that claims that one of the best ways to strengthen a user’s password is to screen it against lists of dictionary passwords and known compromised passwords.
Security experts agree that removing password change requirements and arbitrary complexity requirements are good recommendations, but they actually take it one step further and recommend removing passwords entirely. In 2004, Bill Gates, CEO of Microsoft at the time, predicted that passwords would become obsolete, stating, “there is no doubt that over time, people are going to rely less and less on passwords. People use the same password on different systems, they write them down and they just don’t meet the challenge for anything you really want to secure.”
In line with Gates’ prediction, Microsoft has almost entirely phased out passwords for employees and is hoping to eliminate them completely. Instead, Microsoft employees can use alternative verification options such as facial recognition and fingerprints. Other tech giants are also joining the trend, both for their employees and also to help consumers reduce their dependence on them. Google, for example, has been testing alternatives like USB key fobs which plug into computers and provide a second factor of authentication. According to the company, the key fob reduced the number of successful phishing attacks carried out against its employees.
With passwords being one of the most commonly stolen pieces of data by cybercriminals, it’s no surprise that new security efforts are being made to eliminate them completely. Proper confirmation of identity in digital transactions is one of the biggest cybersecurity challenges for organizations to overcome. Hopefully, by phasing out passwords and relying on methods that are less easy to replicate, businesses can protect themselves, their employees and their clients from having their data compromised by cybercriminals.
About Connected Risk Solutions
At Connected Risk Solutions, we use our expertise and experience to provide insurance information and programs to those who serve long-term care and senior living facilities. Since 2007, we’ve been offering insurance and risk management plans designed to help our agents give their clients the ability to achieve continued growth while simultaneously protecting against loss, containing costs and increasing profitability. To learn more, contact us at (877) 890-9301.