Password guidelines by NIST

As cyber threats continue to change, organizations must adapt their security practices to safeguard against breaches. The National Institute of Standards and Technology (NIST), a federal agency dedicated to advancing technology and information security infrastructure, has recently updated its password guidelines to provide a reasonable standard for protecting confidential data. 

Organizations can significantly enhance their password security, by following these guidelines, which include increasing password length, allowing special characters, enabling text pasting, eliminating password hints, and reducing complexity requirements.

Increase password length

Length is a big factor in creating strong passwords. Longer passwords are statistically less likely to be cracked. To align with current research, NIST now requires a minimum password length of eight characters for user-generated passwords and six characters for machine-generated passwords. 

However, it is advisable to set the maximum password length at 64 characters for more sensitive accounts. By increasing the length of your passwords, you can improve your security posture and protect against unauthorized access.

Allow special characters and spaces

Another effective way to bolster password security is by permitting the use of special characters in passwords. NIST's updated guidelines now recommend systems to allow passwords that contain special characters, including emojis and spaces. By enabling the use of special characters, you can enhance the complexity of passwords, making them more difficult for cybercriminals to crack. 

However, note that the new guidelines prohibit the use of sequential or repeating characters and dictionary words, as these can be easily guessed or exploited.

Enable text pasting and encourage automated systems

To further enhance password security, NIST's guidelines now encourage the use of automated systems and password managers. Password fields should allow users to paste text using the copy-and-paste feature on their devices. 

This enables users to take advantage of password managers, which simplify password management and enhance security. Additionally, stored passwords should be hashed and salted, providing an additional layer of protection by safeguarding passwords even if they are stolen.

Eliminate password hints and knowledge-based authentication

Password hints have long been regarded as a security vulnerability. Users often set hints that make it easy for others to guess their passwords, rendering the passwords ineffective. To mitigate this risk, NIST has completely outlawed the use of password hints. 

Furthermore, knowledge-based authentication (KBA) questions, such as "What street did you grow up on?" are no longer permitted due to the ease of finding such information online. Organizations can strengthen their password security practices and reduce the risk of unauthorized access by eliminating password hints and KBA questions.

Abandon periodic password change requirements

Traditionally, many organizations enforced policies that required frequent password changes. However, recent studies have shown that such requirements can be counterproductive to good password security. In line with this research, NIST recommends removing periodic password change requirements. 

This change tries to improve usability and make password security more user-friendly. While this new standard may take time to be universally adopted, it offers organizations the opportunity to reevaluate their password policies and promote more effective security practices.

Simplify password complexity requirements

NIST's updated guidelines show the need for minimizing password complexity requirements. Previously, organizations often enforced the inclusion of uppercase letters, symbols, and numbers in passwords. 

However, these requirements can lead to passwords that are difficult to remember and may hinder employee efficiency. By reducing password complexity, organizations can strike a balance between security and usability, empowering employees to create and manage strong, memorable passwords.

Screen new passwords 

An additional security measure recommended by NIST is to screen new passwords against lists of commonly used or compromised passwords. This practice helps protect against hackers who attempt to use known passwords in different settings. 

Organizations can prevent the use of weak passwords and further strengthen their security posture by using software that checks proposed passwords against previously held or exposed passwords.

HIPAA compliance and password security practices

HIPAA mandates the protection of sensitive patient information and sets guidelines for data security. Implementing the NIST password guidelines can greatly contribute to HIPAA compliance by enhancing password security practices. Healthcare organizations can demonstrate their commitment to protecting patient data and avoiding potential breaches by adhering to these guidelines.

See also: HIPAA Compliant Email: The Definitive Guide 

In the news

NIST has updated its Cybersecurity Framework (CSF), a guidance document for reducing cybersecurity risk. The new 2.0 edition is designed for all audiences, industry sectors, and organization types, regardless of their level of cybersecurity competence. 

For many businesses, the CSF has become a tool for anticipating and addressing cybersecurity threats.“CSF 2.0, which builds on previous versions, is not just about one document. It is about a suite of resources that can be customized and used individually or in combination over time as an organization’s cybersecurity needs change and its capabilities evolve,” said Laurie E. Locascio, Under Secretary of Commerce for Standards and Technology and NIST Director.

CSF 2.0 introduces a new function, "Govern," stressing governance in cybersecurity risk management. This addition shows the need for executive leadership and organizational culture in cybersecurity initiatives. The Framework also addresses supply chain risks, increasing the interconnectedness of organizations and the growing prevalence of supply chain attacks. The framework helps organizations strengthen their resilience against such threats by including guidance on supply chain risk management.

Read more: NIST unveils comprehensive update to its cybersecurity framework

FAQs

Does NIST guidance for healthcare compliance align with HIPAA regulations?

Yes, NIST guidance for healthcare compliance is designed to align with HIPAA regulations, providing a framework for implementing security controls and safeguarding protected health information (PHI).

Do I need patient consent to implement NIST-recommended security measures?

While patient consent is not specifically required for implementing NIST-recommended security measures, it is necessary to communicate with patients about the security measures in place to protect their health information, in accordance with HIPAA guidelines.

What tools or resources can I use to effectively implement NIST guidance for healthcare compliance?

Healthcare organizations can use a range of resources, including NIST special publications, cybersecurity frameworks, and industry best practices to effectively implement NIST guidance for healthcare compliance. Additionally, collaborating with cybersecurity experts and using advanced security technologies can further enhance compliance efforts.