National Institute of Standards and Technology (NIST) Secure Password Guidelines
The National Institute of Standards and Technology, otherwise known as NIST, is a physical sciences laboratory and non-regulatory agency of the United States Department of Commerce. NIST was created to promote innovation and industrial competitiveness in certain industries such as information technology, nanoscale science and technology, and engineering. NIST has been named to lead the development of appropriate technical standards for reliable, robust, trustworthy, secure, portable, and interoperable AI systems by the American AI Initiative. In June of 2017, NIST published guidelines for ideal requirements for protecting one’s digital identity.
Characteristics of Secure and Strong Passwords
According to NIST’s secure password guidelines, there are certain password factors that are recommended for better security. Some of these guidelines are:
- Minimum eight characters with a suggested maximum of 64 characters
- Ability to use special characters (e.g.?&!@)
- Restriction of repetitive or sequential characters (e.g. abcde or 1111)
- Restriction of context specific phrases (e.g. email or username)
- Restriction of commonly used passwords or passwords obtained from previous breach corpuses
The restriction of various password phrases is important since predictable passwords are likely to be guessed by hackers. Such passwords and phrases are compared against a black list of unacceptable passwords and denied if they match up to those predefined conditions. A black list usually consists of simple dictionary words, previous passwords, and specific words and phrases that tie to the organization or service.
Random Characters Do Not Equal Strong Passwords
NIST suggests strong passwords are something unique that one will remember but someone else cannot guess. Contrary to past popular belief, passwords with mixed upper and lower case letters, number and special characters are not suggested anymore but rather having complex, memorable phrases such as “house kangaroo 28 card ticket” where the phrase itself does not make sense as a sentence but can be pictured in your mind.
In addition to strong passwords, controls surrounding passwords are equally important. Even though the new guidelines rely less on length and complexity, lockout after repeated failed attempts should be set in order to prevent numerous efforts that could be signs of a hacking attempt. Another control should be password history restriction that do not let personnel use the same password as any of their previous passwords because those passwords may have been compromised.
For more information about secure password guidelines, check out the NIST website focused on information technology publications. To learn more about our risk consulting services, contact Katelyn.Crowley@freedmaxick.com, connect with me here, or call 716.362.6281.View full article
Online business is the new "Main Street" of America. According to the U.S. Chamber of Commerce, 74% of small businesses have a website online; many of these solely conduct business through their website. With an uptick of devices that increases social media presence (i.e. the smart phone, tablets, apps); businesses are able to conduct more of their daily activities online than ever before. This drive to do business or maintain a website online does not just apply to corporations, but to entrepreneurs looking to start or grow their business online.
While companies large and small are increasing their online business, larger companies have the capability to improve their defenses and resilience against cyber threats, leaving the small companies ripe for the picking for cyber criminals. Theft of digital information has become the most commonly reported fraud. Whether a business is utilizing, or thinking of utilizing cloud computing or just using email and maintaining a website, cyber-security should be part of the plan. It is a business’s responsibility for creating a culture of security that will enhance business and consumer confidence.
In order for businesses to stay a step ahead of cyber criminals these steps should be taken to increase security:
Train your employees in security principles- establishing basic practices and policies for online use, such as creating strong passwords, appropriate internet use, and rules on how to handle and protect customer information and vital data.
Protect computers, networks from cyber attacks- “cleaning” computers is one of the most vital things you can do to help prevent cyber attacks. For example having security software, web browser, and operating systems are the best defense against malware, viruses or other online threats.
Provide a firewall for your computer- a firewall is a set of related programs that prevents outsiders from accessing data on private network information. This includes ensuring that if an employee is working from home that their home system has firewall protection. One of the most common mistakes is downloading firewall programs but not “enabling” them; essentially “turning them on”.
Secure Wi-Fi networks- make sure that any Wi-Fi networks you have for your business is secure, encrypted and hidden. You can hide information by setting up your wireless access point or router so that it doesn’t broadcast a network name, and password protect access to the router.
Limit employee access to data- do not provide any one employee to all data systems. Employees should only be given access to the specific data systems that they need to perform their jobs, and should not be able to install any software without permission.
PCI Compliance is also a big part of being secure online. PCI DSS is the Security Standards Council that was put into place to ensure that businesses storing, transmitting, and processing payment card data, are not putting their customers or their business at risk of data theft or fraud. The PCI DSS has four levels of compliance, with number one set as the highest level. The level that your business requires depends on:
The volume of transactions you process, and
How you process them.
Cyber-security is a team sport. Taking actions that will better protect both vital data and your business operations will have positive consequences for the security of all businesses, communities and the country. Computers and networks are interconnected through cyberspace; that means that both public and private sectors share responsibility.
Freed Maxick CPAs
Freed Maxick’s tax team and enterprise risk management team want to make sure that your online business is secure. Our firm is registered with the Payment Card Industry Security Standards Council, LLP (PCI SSC) and has Qualified Security Assessor’s certified by the Council to validate an entity’s adherence to the PCI DSS. Contact us and connect with our experts.