Passwords have become a part of our daily lives at work and at home. Even as new identification tools have gradually entered the marketplace, the password has remained a constant for many websites and applications.
Unfortunately, password best practices have not evolved to match sophisticated cybercrime operations.
Weak and stolen passwords accounted for 49% of hacking-related breaches – and a stunning 86% of basic web application attacks – in the 2023 Data Breach Investigations Report conducted by Verizon. Further, the Identity Theft Resource Center (ITRC) found more than 1,800 breaches in the U.S. in 2022, just 60 events short of the all-time high of 1,862 set in 2021.
Since it began tracking incidents back in 2005, ITRC has identified 19.7 billion records that were exposed by data breaches, impacting more than 11.8 billion victims. In many cases, investigations determined that the password was the weakest link. These findings have unleashed widespread scrutiny around authentication practices.
Companies develop their data authentication practices based on standard-setting organizations like the NIST, which sets guidance for U.S. government agencies. Although its guidelines for passwords and authentication have seen minor revisions since NIST first released them in 2017, their main themes remain the same.
After analyzing what makes an effective password (and what doesn’t), the institute argues for a more flexible, simpler approach to password management. However, these standards still aim to maintain effective authentication and robust security controls to prevent unauthorized access to data and resources.
While traditionally in favor of increasingly complex passwords and passphrases, NIST now argues for a usability-focused approach, asserting that users will opt for passwords they can easily remember.
For example, a password that adheres to the traditional randomized mix of characters may be as simple as “P@ssw0rd,” which hackers are capable of cracking quickly. Another example would involve a user bypassing creating a new password at expiry, such as using a sliding number scale at each expiration, (e.g., “Password1, Password2, Password3…”). If hackers previously obtained the user’s credentials, they may easily guess any successive passwords.
In short, the NIST guidelines suggest the following:
NIST recommends that individuals opt for harder-to-guess passphrases involving strings of random words and characters. This would deter individuals from using simple passwords and make it less likely to circumvent the purpose of the enforced password policies.
With these guidelines, NIST looks to fold passwords into the larger authentication process. A usable but hard-to-guess password, combined with other authentication factors like biometric information or personal tokens, can create a more meaningful (and more secure) data security system.
When we talk with our customers, we define authentication with three factors:
Passwords fall into the first category. However, the best method for authentication is a strong, layered approach that requires more than one type. We’ve already witnessed the weaknesses of category 1 identification, whether it’s a password used multiple times across multiple logins or easy-to-guess security questions.
"A usable but hard-to-guess password, combined with other authentication factors like biometric information or personal tokens, can create a more meaningful (and more secure) data security system."
NIST guidelines intend to relax the complexities from a password system. However, passwords aren’t going away anytime soon. Whether or not your company decides to follow the NIST guidelines, it’s important to periodically review your authentication practices and information security training. Here are some best practices.
1. Use passphrases instead of password
2. Educate employees on lesser-known dangers of password use
3. Assess the risks of any documents accessible by employees
4. Review detective controls, including logging and monitoring
5. Periodically examine applications, operating systems and databases
While NIST encourages a less complex password system, those passwords are just one part of the authentication process. With cybercrime growing more sophisticated each year, you don’t want to be caught off guard.