With so many other competing priorities, password security may not be top-of-mind for many business leaders right now. But even a cursory check of recent data-breach reporting suggests that it very well should be. More than 80 percent of last year’s hack-related data breaches involved weak or stolen passwords last year.
For the annual ‘Worst Passwords of the Year’ report, the top five offenders were: 123456; Password; 12345678; qwerty; and 12345. Nearly one in five hacked users safeguarding their digital lives with ‘123456.’
NIST experts encourage administrators to:
- Clearly communicate memorized secret requirements to all employees, including how to create and change them
- Allow users to make passphrases as long as they want
- Avoid imposing composition rules
- Require arbitrary, periodic changes unless users ask or there’s evidence of compromise
- Provide clear, actionable feedback when users’ memorized secrets are rejected (e.g. it’s previously or commonly used, or blacklisted by the company)
The threat of user-caused breaches makes effective password security more crucial than ever, regardless of the strategy you use.