The creation and use of passwords is one of the areas where websites and mobile apps lay down rules for making them as safe as possible. However, a federal agency thinks some of the requirements do more harm than good to the industry.
A new proposal from the National Institute of Standards and Technology (NIST) has been proposed to protect people's digital identities from fraud by developing some guidelines. One of them is banning password requirements, which cybersecurity experts have long considered obsolete. It is no longer necessary to request special characters, like "%" and "$," for instance, for some type of input. It is also no longer necessary to ask users to identify their children's favourite pet or their first pet as security questions.
First and foremost, it is important to understand why it is not only ineffective to change the password every six months but can make it more difficult to secure users' accounts. When people are forced to change their passwords every few months or so due to security restrictions, they tend to choose the path of least resistance by simply changing a couple of characters within their existing passwords to achieve maximum security. This indeed makes the user's new password easier to remember, however, it also means that hackers who have already accessed a user's system or have run into an existing password they might have used before can easily guess the new password.
Passwords should be created with a combination of different character types, and they should be changed regularly, these are no longer best practices for password management.
It is based on new guidelines that have been released by the United States National Institute of Standards and Technology (NIST), which is charged with developing and releasing guidelines that will assist organizations in keeping their data safe.
It was the second public draft of the National Institute of Standards and Technology's Digital Identity Guidelines (SP 800-63-4) that appeared in September of 2024, making these guidelines the latest version that has been published.
For security purposes, it is much better to use strong, unique passwords for each account rather than rotating them as a means of achieving security. There are a variety of letters and numbers that can be used in this system, which means that not just words from the dictionary can be used, which can be picked up by an automated attack program. Furthermore, users should make sure that they don't use any variations on a specific theme in the passwords that they create; don't use variations on a theme (such as "password1" then "password2").
It is highly recommended that users always use passphrases instead of traditional passwords if they are really serious about their security. Passphrases are much harder for attackers to guess when compared to traditional passwords. Make sure to check out our blog on how to create a strong password by clicking here. For those who don't want to remember all of their strong unique passwords to keep their online accounts secure, it is recommended to use a password manager like NordPass.
Because of this, it has become more straightforward to determine whether a password is effective, in comparison to complexity, by measuring its length. Under the guidelines, online services require users to create passwords that are a mix of character types, however, several analyses of breaches of password databases have found that they do not have as great an effect as initially thought.
Due to the vast number of online accounts it manages, maintaining a unique password for every single one of them can still be a daunting task, even if users keep their passwords short and memorable at the same time.
Password managers can play a very important role in preventing this from happening. In addition to this, this type of tool also achieves the goal of archiving all passwords in an encrypted vault that users can access securely, so they don't need to worry about forgetting all their passwords for every account.
When a password manager is installed, the user only needs to remember one strong password to access their vault, thus streamlining their online security as well as reducing the risk associated with reusing passwords.
The password manager is also capable of creating secure, long passwords for the user on their behalf, thereby further enhancing their level of security.
It is of course vital to have robust passwords, but they are merely one of the layers of security that must be considered. There are several reasons why two-factor authentication (2FA) may be a viable authentication method. One of these is the fact that it requires a second verification method, such as a code sent to the mobile phone of the user or an authentication app, before giving the user access to their account.
As long as a hacker has managed to get their hands on the passwords of a user, the 2FA feature is guaranteed to prevent them from gaining access to the user's account even if they manage to obtain the user's passwords. Even though some passwords are compromised, hackers will find it much more difficult to breach users' accounts as a result of this.
People tend to make the mistake of selecting easy-to-guess personal information when choosing passwords during the creation process, which is one of the biggest errors they make.
The information that they disclose could be anything from their name, birth date, or even the name of their favourite sports club they support.
Many individuals make the error of using easily accessible personal information in their passwords, such as names, birthdates, or favourite sports teams. This information is often available through social media platforms or public records, making it a convenient target for cybercriminals attempting to gain access to accounts. To minimize this risk, it is highly recommended that personal details be avoided in password creation.
Instead, users should create complex and unpredictable passwords that are significantly harder for attackers to guess, thereby providing a higher level of security.
Another critical mistake is storing passwords in plain text on personal devices. Some individuals may resort to saving passwords in unprotected documents for the sake of convenience, without considering the significant security risks involved. If the device is compromised, these plain text files can be easily accessed, leaving sensitive information vulnerable to unauthorized users.
A safer alternative is to use password management software, which securely stores passwords while also encrypting them. This adds an essential layer of security and ensures that even if the device is breached, the stored passwords remain protected.
It is also crucial for users to pay attention to security notifications issued by websites and online services. These alerts are often triggered by unusual or suspicious activity and serve as an early warning system for potential security breaches. Unfortunately, such warnings are frequently ignored or overlooked, which can leave accounts exposed to further exploitation.
By promptly addressing these notifications, individuals can take immediate action, such as changing passwords or enabling additional security measures, to mitigate the threat before it escalates.
Lastly, neglecting to regularly update software and applications can lead to unnecessary security vulnerabilities. Software updates frequently contain critical security patches designed to address newly discovered threats.
By failing to install these updates promptly, individuals leave themselves susceptible to attacks that could have been prevented. Maintaining up-to-date software is an essential practice for ensuring the latest security features are in place, reducing the chances of a successful cyberattack.
