The National Institute of Standards and Technology (NIST) once said that a good password consisted of three things: upper- and lowercase letter, numbers, and symbols. However, the NIST recently reversed its stance on good passwords. Here’s why and what they are now recommending.
The problem
The issue isn’t that the NIST advised people to create easy-to-crack passwords, but their previous advice inadvertently made people create weak passwords using predictable capitalization, special characters, and numbers, like “P@ssW0rd1.”
Such a password may seem secure, but the strings of characters and numbers could easily be compromised by hackers using common algorithms.
What’s more, the NIST also recommended that people change their passwords regularly, but did not specify how and when to change them. Since many people thought their passwords were already secure because they’ve included special characters in them, most only added or changed one character.
The NIST essentially forced everyone to use passwords that are hard for humans to remember but easy for a hacker’s algorithm to crack.
Eventually, the institution admitted that this can cause more problems than solutions. It has reversed its stance on organizational password management requirements, and is now recommending banishing forced periodic password changes and getting rid of complexity requirements.
The solution
- Single sign-on – allows users to securely access multiple accounts with one set of credentials
- Account monitoring tools – recognizes suspicious activity and locks out hackers