NIST & the FBI have again adjusted their password best practice recommendations.

The recommendations are part of an initiative launched by the FBI to help 2020 political campaigns and American voters protect against online foreign interference. The FBI, the Department of Homeland Security, and the Office of the DNI have provided guidance and information as part of this effort. The FBI is opting for the following approach when it comes to password creation: “If you use a simple password or pattern of characters, it’s considerably easier for an adversary to crack. Consider using a longer passphrase. This involves combining multiple words into a long string of at least 15 characters. The extra length of a passphrase makes it harder to crack while also making it easier for the user to remember.” NIST now recommends: “Require everyone to use longer passwords or passphrases of 15 or more characters without requiring uppercase, lowercase, or special characters.” Additionally, the recommendations on password expiration have also changed. The FBI now recommends requiring a password change only when the use case requires a change. They discovered, after extensive research, passwords with 90 days or shorter lifecycles present more risk as users find ways to keep track of new passwords. Of late we’ve seen passwords stored In Outlook contacts, Google sheets, password-protected Excel spreadsheets, Dropbox Paper Documents, and physical notepads. We recently worked with an organization that had an incredibly difficult time with their Infrastructure credentials because the Engineer they released from employment had them all stored in a notebook he took with him.

Want to find out more?  Sign up for our Business Cyber Risk Workshop on March 5th.  Simply CLICK HERE to get a complimentary pass.