Alert

Increase Password Security with New Guidance from NIST

August 28, 2017
LinkedIn Share Button Twitter Share Button Other Share Button

The National Institute of Standards and Technology (NIST) is in the process of finalizing Special Publication 800-63-3: Digital Identity Guidelines, which provides new guidance revising its long-standing best practices for system password characteristics.

New Best Practices

Instead of needing to change passwords frequently and requiring them to meet complexity requirements—such as using symbols and different cases—as the established guidelines have suggested for years, the new framework recommends creating passwords that:

  • Use a long string of random words that can be remembered by the user
  • Exclude repetitive or sequential characters and numbers
  • Are screened against a list of commonly used or compromised passwords
  • Aren’t changed, except in the event of a system breach or cyber incident

The new guidance also suggests dropping the practice of password hints triggered by questions asking the user specific types of personal information, such as: What was the name of your elementary school?

Reasoning

The previously established password security guidelines set by NIST have unintentionally resulted in unsecure password practices. By needing to regularly generate new, complex passwords, users have tended to create common, easily remembered, and easily guessed passwords instead.

The idea behind the new guidance is to reduce this practice and make it easier for end users to create and maintain fewer and more secure passwords.

Next Steps

While the new changes to password security practices will likely help reduce the number of easily preventable security breaches, it’s important to remember that even the most secure passwords can become compromised. Cyber attackers can still get around strong passwords through the use of phishing attacks, phone-based impersonations, and other social engineering techniques—all of which require vigilance and strong internal controls to deter.

We're Here to Help

For more information about improving your organization’s IT security, or if you’d like help determining what the implications of the new NIST guidance are for your business, contact your Moss Adams professional or visit our cybersecurity services page.

Ask a Question

The material appearing in this communication is for informational purposes only and should not be construed as advice of any kind, including legal, accounting, tax, or investment advice. This information is not intended to create, and receipt does not constitute, a legal relationship, including, but not limited to, an accountant-client relationship. Although these materials have been prepared by professionals, the user should not substitute these materials for professional services, and should seek advice from an independent advisor before acting on any information presented. Changes in tax laws or other factors could affect the information provided in this communication.

Related Topics

Article
Protect Your Company from Cyberthreats with Information Security Governance
Article
Article
Protect Your Data on Amazon S3: Security Permissions and Best Practices
Article
View More

Contact Us with Questions

Baker Tilly US, LLP, Baker Tilly Advisory Group, LP and Moss Adams LLP and their affiliated entities operate under an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable laws, regulations and professional standards. Baker Tilly Advisory Group, LP and its subsidiaries, and Baker Tilly US, LLP and its affiliated entities, trading as Baker Tilly, are members of the global network of Baker Tilly International Ltd., the members of which are separate and independent legal entities. Baker Tilly US, LLP and Moss Adams LLP are licensed CPA firms that provide assurance services to their clients. Baker Tilly Advisory Group, LP and its subsidiary entities provide tax and consulting services to their clients and are not licensed CPA firms. ISO certification services offered through Moss Adams Certifications LLC. Investment advisory offered through either Moss Adams Wealth Advisors LLC or Baker Tilly Wealth Management, LLC.