DEFENSESTORM BLOG

NIST Framework Password Recommendations

Monday, December 16th, 2024

VIEW ALL INSIGHTS

Cyber security risk management solutions from DefenseStorm.

Take a minute and think about the password(s) you use in both your professional and personal capacities. When passwords are reused or weak, they are far more susceptible to being stolen. One stolen password can lead to a detrimental data breach for your organization.

Take a minute and think about the password(s) you use in both your professional and personal capacities. Do you use the same password for everything? Do you use short, simple passwords that are easy to remember? When it is time to change your password, do you only change a number or a letter in the password? Of the many ways a bad threat actor attempts to gain access to your network, password attacks are still a prevalent method a cybercriminal uses. When passwords are reused or weak, they are far more susceptible to being stolen. One stolen password can lead to a detrimental data breach for your organization.

Cybercriminals and the threat landscape are constantly evolving and changing; this means that we must constantly evolve and change. One of those changes involves password security. The National Institute of Standards and Technology (NIST) has recently updated the cybersecurity framework from Version 1.1 (released in 2018) to version 2.0 (released in 2024). This update included more effective password practice protections. Outlined below are six (6) takeaways from that update.

Takeaways 

  1. Password Length over password complexity: I am sure we all have created a password only to be told it did not meet the requirements (I.E. one lowercase, one uppercase, a symbol, etc.). This formula was created in hopes that passwords would be difficult to crack with password cracking tools. The problem is, we as humans, are predictable beings. Most individuals will start or end their passwords with a symbol or number, the first letter will be capitalized, and they will replace a letter with a number (example: 3 for an E). So, although the password appears to be complex, it’s relatively easy to crack by following predictable patterns. NIST recommends that users create longer passphrases or passwords that are easy for them to remember but harder for cybercriminals and their tools to hack. The passphrase does not need to make sense, it only must be remembered by the user. An example would be “zebra-shoestring-teletubbytales5”. Is it silly? Absolutely, but to some it may be easier to remember than “Uz56!$Kte&7”. (Disclaimer: Please do not use any of the example passwords as this is an open forum).
  2. With password length in mind, NIST recommends supporting up to 64 characters to facilitate longer passwords. The high number of allotted characters ensures that a longer password/passphrase is obtainable for users. Realistically, there will be very few people who use all 64 characters. I do say “very few people”, because we all know someone in our offices who loves a challenge. A longer password does not mean that it cannot be compromised, it just offers a bit more protection than a shorter password.
  3. Multi-factor authentication (MFA): Research done by Microsoft indicates that 99% of breached accounts did not have MFA enabled. According to NIST, MFA is not an option, it is a must have. By implementing MFA, this will ensure that a regularly exploited security gap is closed. (Microsoft Source: https://learn.microsoft.com/en-us/partner-center/security/security-at-your-organization)
  4. Frequent mandatory password changes should be avoided unless a compromise has occurred. Users having to frequently change passwords can result in minimal, weaker ones to pacify the password requirements. NIST does not recommend completely taking required password changes out of the policy, just to simply extend the time between them.
  5. If a password has already been breached, do not allow it to be used. NIST recommends screening passwords against compromised credential databases. Using an already exposed credential is counterproductive to the security of your network. Attackers leverage lists of compromised credentials to advance and accelerate their target. Make sure you are not holding down the gas pedal for them.
  6. NIST recommends password hints/knowledge-based recovery questions be discontinued. In today’s world, social media allows us to know what used to be kept to ourselves or our close friends/family. People love to share everything. What they had for breakfast, why they are fighting with a family member, how they can’t believe their kid has turned a year older (every year). It also gives us information about pet names, favorite vacation spots, favorite childhood memories, etc. So, password hints and knowledge-based recovery questions have become a security factor, depending on how much one shares with the internet. This can be replaced with MFA verification during password resets or email recovery links.

DefenseStorm Recommendations  

As always, DefenseStorm recommends the following practices to help secure your environment:

  • Continued internal training for phishing campaigns
  • Block threat indicators at their respective controls
  • Keep all systems and software updated to the latest patched versions to best protect against all known security vulnerabilities
  • Maintain a strong password policy
  • Enable multi-factor authentication
  • Regularly back up data, air gap, and password backup copies offline
  • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, secure location
  • Use app hardening
  • Restrict administrative access

Desrah Kraft

Cyber Threat Intelligence Engineer

Desrah Kraft is a Cyber Threat Intelligence Engineer at DefenseStorm. For the past three years, she has played a vital role in leading and contributing to various Incident Response efforts. Before transitioning into cybersecurity, Desrah obtained a bachelor’s degree from Mitchell College and worked for 7 years in law enforcement. This experience helped her cultivate a comprehensive understanding of security principles and investigative practices. An accomplished cybersecurity professional with 4 years of hands-on experience in analyzing malware and extensive expertise in safeguarding digital landscapes against malicious threats, Desrah possesses an unparalleled ability to dissect complex cyber threats, identify their origins, and implement effective countermeasures. Additionally, she holds multiple MITRE certifications, which demonstrate her mastery of advanced threat detection and mitigation techniques. Recognized for her keen eye for anomalies and proactive approach, Desrah excels in Endpoint Detection and Response (EDR), enabling rapid identification, investigation, and containment of potential breaches. Committed to continuous growth and learning, Desrah remains at the forefront of cybersecurity, dedicated to fortifying digital infrastructures and inspiring others in the field.