We have discussed the changes in the NIST (National Institute of Standards and Technology) guidelines in a previous blog post. One of the areas that is getting the most chatter is the password recommendation. NIST research has found that the requirement of password complexity, mixing upper/lower case letters, symbols and numbers, actually results in worse passwords. Furthermore, setting a longer password and not requiring frequent changes of the user password are other recommendations.
MOREnet Cyber Security still recommends long (15 characters) and strong (complexity) and the necessity to have different passwords for different logins. You may need to examine your own policies and base your password requirements on the role that the user has in your organization.
One of the new recommendations from NIST is the use of a password screener. A program will screen the user’s password using the same methods used by cybercriminals in brute force attacks. The screening can assist users from selecting easy to guess or commonly used passwords.
While there are free password screeners available it is important to note that these can also be compromised and used by the cybercrooks to enhance their own database. Even Kaspersky warns against entering your ‘real’ password into the checker.
In addition, there are ways to check a user’s credentials to see if it has been compromised.