‘Memorized Secrets’ and NIST’s Latest Password Security Suggestions(1)
With so many other
competing priorities, password security may not be top-of-mind for many
business leaders right now. But even a cursory check of recent data-breach
reporting suggests that it very well should be. More than 80 percent of last
year’s hack-related data breaches involved weak or stolen passwords last year.
For the annual ‘Worst
Passwords of the Year’ report, the top five offenders were: 123456; Password;
12345678; qwerty; and 12345. Nearly one in five hacked users safeguarding their
digital lives with ‘123456.’
NIST experts encourage
communicate memorized secret requirements to all employees, including how to
create and change them
users to make passphrases as long as they want
imposing composition rules
arbitrary, periodic changes unless users ask or there’s evidence of compromise
clear, actionable feedback when users’ memorized secrets are rejected (e.g.
it’s previously or commonly used, or blacklisted by the company)
The threat of user-caused
breaches makes effective password security more crucial than ever, regardless
of the strategy you use.