.st0{fill:#FFFFFF;}

Cyber Security

New 2020 Password Management Recommendations by the NIST and FBI

 March 16, 2020

By  Tim Starnes

The National Institute of Standards and Technology (NIST) and Federal Bureau of Investigation (FBI) have released their yearly 2020 password recommendations, overhauled from 2019’s recommendations amid concerns of political campaign and voting fraud by foreign actors.

Without proper monitoring tools in place, tracking or finding an attacker who has entered a network becomes largely chasing a trail of “virtual crumbs” – little pieces of data that have been created, changed, or moved – and this is if the attacker leaves some behind. Skilled attackers with sophisticated software or training are able to enter and travel around a network without leaving any obvious traces behind.

Most Recent (Faulty) Login Storage Trends

Let’s face it, in our hectic lives we create so many passwords that they all become impossible to remember. To achieve the end of remembering them, sometimes security standards can slip. In The National Institute of Standards and Technology (NIST) and Federal Bureau of Investigation (FBI)’s research, they discovered a few faulty storage methods that have been widely used:

  • Outlook contacts
  • Google sheets
  • Password-protected excel sheets
  • Dropbox documents

There is one unifying detail amongst these methods – they store passwords in one central location – but the problem is also part of the end-product – if the account holding all of these passwords is compromised, all of them have been effectively handed to the hacker.

New Rules

Here are the new login rules as outlined by the NIST and FBI for more secure user accounts:

Use Passphrases Rather Than Passwords

  • Use long strings of words and characters at least 15 characters long.

The science behind this is simple, the human brain finds it much easier to muscle-memory passwords that are longer and more complex. On the technical side, password cracking software finds it much more difficult to handle long passwords, as it is time-consuming to plug hundreds of thousands of password combinations. The NIST suggests using a password with at least an eight-character length.

  • Change passwords only when they expire or are compromised.

Research has uncovered that 60 and 90-day password resets actually lead to weaker passwords, as people struggle to figure out new combinations that are memorable.

  • Take away complexity rules.

NIST has gone further, suggesting that number, character, capitalization, and unique symbol rules such as requiring a numeric character or one uppercase letter be removed, to make remembering the login easier for the end-user.

  • Require screening of new logins against a list of commonly used or compromised logins.

Multiple lists of compromised and commonly used logins are available through various software solutions, as well as government entities. New logins should be compared against them to ensure they are not weak straight out of the gate.

Some commonly compromised logins include:

  • Passwords that have been previously compromised (such as passwords used from another account that has been previously compromised.)
  • Dictionary words (any word in the dictionary, such as “dog.”)
  • Repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’).
  • Context-specific words such as the name of the service the account exists with.
  • Monitor for reused logins.

Passwords within the organization should be unique on all accounts.

  • No password hints.

Password hints are great for helping the forgetful account owner trying to gain access, but the problem with password hints is that they provide a cyberattacker attempting to gain access to the account hints as well.

  • No security questions.

Security questions are easy to investigate, as information such as “where were you born?” and “what was your first car?” can easily be leaked on social media by employees, completely unintentionally.

  • Use a password manager.

While NIST and FBI are not keen on password managers, they both admit that they are effective ways to store and maintain organizational passwords – especially for shared accounts such as accounts on marketing and printing websites. As password managers store servers-full of sensitive information, they actively invest in their security infrastructure, limimiting the potential of data leaks.

  • Limit authentication attempts.

Authentication attempts should be limited in order to cut down the number of attempts cybercriminals are able to execute before being locked out. A real employee can always call your organization’s IT support desk, if they are truly locked out.

  • Limit authentication types.

Only allow authentication through an application such as Google Authenticator. SMS text and email verification messages are easy to hijack.

Make logins even better.

  • Set a maximum password length of 64 characters.
  • Allow characters such as spaces and emojjis to be included in passwords.
  • Allow copy/paste functions in the password field to accommodate password manager users.
  • Biometrics.

For the most secure (but most expensive to implement) login system, biometrics are a possibility. Biometrics include facial and fingerprint recognition – something that many employees will already have enabled on their cell phones.

Victim similarities.

Many organizations attacked through password cracking share a few similar traits:

  • User accounts do not have multifactor authentication enabled (MFA)
  • User accounts utilize easy-to-guess passwords.
  • Utilize web-based applications for essential business without appropriate encryption and user security methods.
  • User email accounts allow email-forwarding from within their own settings panel (not organization-managed.)
  • Use synchronization, allowing email and data to be pulled from the cloud to remote devices.

How did they guess!?

Sometimes, cybercriminals aren’t purely brute-forcing passwords through combination generators. Particularly savvy cybercriminals do their research ahead of time.

  • Social media

One of the downsides of social media is the amount of information that is accidentally leaked online. Cybercriminals with a simple google search can find employees’ social media profiles that contain sensitive information such as addresses, vacation spots, names of relatives, pets, and friends, what types of cars they drive, hobbies they enjoy – all of these are commonly translated into parts of passwords.

  • Purchased lists

Hundreds of data leaks occur each year. Cybercriminals take the stolen information and sell it on the deep web, often for other cybercriminals to purchase for use in other cyberattacks. Should an employee make use of the same password for most of their accounts and it is leaked online, they could be at risk for being at the end of an easy account hijacking job.

Login theft

Employers have frequently experienced difficulties with employees stealing login information, be it purposefully or accidentally.

  • Outlook contacts
  • Google sheets
  • Password-protected excel sheets
  • Dropbox documents

For example, if an employee actively writes down usernames and passwords in a journal, should they be terminated they will leave with all of their logins in tow, which could easily be used or even sold.

Impact of an incident

Should a password hijacking attack be successful and data is affected, there are a few possible effects:

  • Loss or theft of critical (and sometimes regulated) information.
  • Operational disruptions
  • Reputational harm
  • Financial losses related to disruption or restoring files.
  • Files moving around the network for no reason.
  • Strange changes to contacts.
  • Security and synchronization rules being changed with no connection to any employees.

Attack indicators

There are a few red flags that a cyberattack is ongoing, these should signal a prompt response from your organization’s IT department:

  • Login attempts spread over multiple platforms.
  • Numerous login attempts occurring over hours.
  • Attempted or successful logins from strange IP addresses or devices.
  • Watch for packets of data acting mysteriously within the network. This can signal a mass data mining/exfiltration process using file transfer protocols.

Without proper monitoring tools in place, tracking or finding an attacker who has entered a network becomes largely chasing a trail of “virtual crumbs” – little pieces of data that have been created, changed, or moved – and this is if the attacker leaves some behind. Skilled attackers with sophisticated software or training are able to enter and travel around a network without leaving any obvious traces behind.

System monitoring software diligently copies all changes within the network it monitors, allowing system administrators to spot “crumbs” of information or changes as they are made – calling attention when abnormal network actions occur.

Reporting to the FBI

The FBI requests that cyberattacks be reported to their Cyber Watch (CyWatch) field office. This rings especially true if sensitive data or currency has been stolen or tampered with.

The report should include:

  • Contact information for the designated point of contract
  • Name of the organization affected
  • Events transpired
  • Equipment affected by the attack
  • Number of individuals affected
  • Date
  • Time
  • Location

Ways to prevent password forcing attempts

As with other things in life, prevention is the best cure to prevent password stealing attempts. Here are a few ways to put up barriers to keep successful password forcing attempts away:

  1. Review organizational password guidelines to ensure they meet NIST and FBI guidelines that are published yearly.
  2. Offer employees cybersecurity learning opportunities to prevent widows of opportunity from opening for cybercriminals.
  3. Establish a password policy that does not allow easy-to-guess passwords.
  4. Enable multifactor authentication (MFA) for all accounts.
  5. Review helpdesk software to ensure procedures are being followed and the software is secure.

Want to join in the conversation? Talk with us on social media!

Facebook: https://www.facebook.com/secfirstit/

LinkedIn: https://www.linkedin.com/company/securityfirstit

Hashtags: #password #password 2019 #password 2020 #password lock remove #how to unlock password lock #password management #useful passwords

Safe passwords, safe data

Take these tips into effect, and your data will be backed up by an extra barrier of protection against cyber criminals out to get their hands on it for a variety of purposes. Maintaining password sensibility and security doesn’t have to be a scary prospect or a perpetual difficulty.

Enjoyed this article? Take it with you as a .PDF!

Subscribe to our newsletter now!