Security is a top priority for any managed services provider (MSP), but managing hundreds of passwords across an array of customers is no easy task. To protect their customers’ data, MSPs work hard to roll out security strategies—but are they effective?
Piecemeal security strategies are not only ineffective—they’re also risky. Ad hoc strategies leave room for errors that could put customers’ data in jeopardy. This is where comprehensive information security frameworks and guidelines from the National Institute of Standards and Technology (NIST) come into play.
What are NIST guidelines?
NIST guidelines are designed to help federal agencies meet regulatory compliance requirements like FISMA, HIPAA, and SOX. But before we dig into NIST password standards, here’s a brief overview of NIST and why its standards and guidelines are so highly regarded.
Founded in 1901 as the Bureau of Standards, NIST is a non-regulatory federal agency within the U.S. Department of Commerce. While the organization develops guidelines and measures for a host of industries, it has a long-standing history of publishing best practices for information security. The NIST Cybersecurity Framework (CSF) comprises guidelines based on research NIST gathers from a diverse array of security organizations and publications.
NIST guidelines have become so well-respected, federal agencies are no longer the only ones turning to them for support. Many private sector organizations have also adopted these comprehensive, customizable, and credible guidelines to remain compliant and keep their entire infrastructure secure. Two of the most popular NIST guidelines for IT professionals are the NIST Cybersecurity Framework and the NIST SP 800-63, which is part of the Special Publication 800-series.
What is the NIST cybersecurity framework?
The NIST Cybersecurity Framework, also known as the Framework for Improving Critical Infrastructure Cybersecurity, serves as an extensive set of guidelines detailing how organizations can keep cybercriminals at bay. The CSF is a 55-page document divided into five distinct categories: identify, protect, detect, respond, and recover. While it’s not a complete framework, many MSPs turn to it when developing their customers’ internal information security frameworks—or their own.
What are the NIST Password Standards?
The best practices outlined in the NIST SP 800-63 are the latest NIST password guidelines to enter the industry. Previously modified in 2017, today’s NIST password standards flip the script on many of the organization’s historic password recommendations—earning applause from IT professionals across the country. Here are some of the most important changes for MSPs:
The more the merrier: The new NIST password guidelines suggest an eight-character minimum when the password is set by a human, and a six-character minimum when it’s set by an automated system or service. They also recommend encouraging users to create lengthy passwords with a maximum length of 64 characters or higher. All applications must permit any printable characters listed within the American Standard Code for Information Interchange, including spaces, and should even accept UNICODE characters (like emojis).
Remove the reset: For years, most MSPs have encouraged their customers to put password reset policies in place, requiring employees to change their passwords every few months or so. According to NIST, this should no longer be the case. The organization explains the reset periods have proven more detrimental than constructive. As users struggle to drum up countless creative, strong new passwords each month, they end up creating weaker passwords. Password strength should be about quality, not quantity—one excellent password is better than 10 new, mediocre ones.
Complexity isn’t king: How often have you created a new account, for a new application, online store, or digital news outlet, and encountered the prompt, “your password must contain one lowercase letter, one uppercase letter, one number, and one symbol”? For years, this type of configuration was the norm. But NIST now explains—much like the new reset recommendation—overly complex passwords can lead to poor password behavior. Users who forget their complicated passwords tend to end up replacing them with new, weaker ones.
Make it a user-friendly affair: The “show password while typing” is a rare option on many login sites. NIST suggests changing this, allowing more users to view their passwords as they enter them. Without this option, users are more inclined to choose shorter passwords that are easier to enter correctly. Shorter passwords are less secure, so any benefits gained from these visibility blocks are counteracted by weaker passwords.
In the same vein, NIST also suggests foregoing settings that block users from pasting passwords. Users who are allowed to copy and paste their passwords are more likely to create and store stronger, lengthier passwords within password managers as compared to those who are forced to type out their password every single time.
Lose the clues: Some accounts will allow users to access a personal hint or provide an answer to a pre-selected question, like “what was the name of your first pet?” when they forget their credentials. But while knowledge-based authentication clues can save users from the hassle of creating a new password, they are also risky. Personal data abounds in today’s digital era, making it easier than ever for hackers to decode hint prompts and breach systems. So while these clues may save time, foregoing these options is in everyone’s best interest.
Limit the attempts: Enabling an unlimited number of password attempts may temporarily help users who have forgotten their passwords, but they end up doing more harm than good. The latest NIST password standards recommend providing users with a maximum of 10 login attempts before they are turned away—enough to aid a forgetful user, but not enough to assist brute-force attackers.
A hands-free approach: Driving laws aren’t the only regulations cracking down on texting. The NIST two-factor authentication (2FA) policy states that, while 2FA is still important, SMS texting services should not be a part of the process. SMS delivery isn’t entirely secure, providing advanced cybercriminals with an opportunity to insert malware into the system. This malware can redirect text messages and facilitate attacks against the mobile phone network—which is why SMS texting should be avoided entirely.
Why are NIST password standards important?