While tech-savvy solutions like passkeys and two-factor authentication (2FA) continue to be favored by companies like Google, Apple, and Microsoft, the humble password isn't dead yet.
Until they're phased out completely, maintaining good password hygiene is the only way your company can stay safe from rapidly evolving threats like keylogger programs and AI password crackers.
Creating a strong password isn't rocket science — but conflicting regulations have created a cloud of confusion around the topic making it hard for businesses to know which requirements to use across their systems.
To celebrate National Password Day 2023, we brushed up on the latest National Institute of Standards and Technology (NIST) guidelines and created a list of password tips for companies and workers to follow in 2023. You can thank us later.
Simple Password Tips for Companies
If you're responsible for setting password policies for your organization, read on for six practices to bear in mind.
1. Set a password minimum of eight characters
According to NIST, creating a longer password is more important than creating a complex one. This is clear from Hive Systems research, that found that passwords eight characters long are able to be hacked within eight hours by the average hacker, while shorter codes can be compromised within a few minutes.
Therefore, to it harder for cybercriminals to crack your password, and easier for you and your business, we recommend setting a character limit that ranges from 8-64.
2. Allow the ‘Show Password' option
When employees type in long and complex passwords blindly, it makes typos and errors extremely common. Not only does this make users more prone to being blocked out of their accounts, it also makes them less likely to create complex codes in the future.
To avoid this issue, NIST tells businesses to let workers see what passwords they're typing. This way, guesswork can be eliminated, stress can be avoided, and your workforce will be more likely to use effective codes to safeguard their accounts.
3. Lower the limit of “Failed Password” attempts
NIST also recommends temporarily baring access to accounts for a certain period of time when users enter incorrect details — and locking them out altogether after 100 attempts. They suggest that companies should make workers complete a CAPTCHA before re-attempting, to ensure that computers aren't trying to enter the account.
4. Use passwords alongside two-factor authentication
While this is less of a password tip, the government agency advises businesses to use two-factor authentication alongside traditional codes. This provides companies with an important extra layer of defense and makes it even harder for hackers to enter your system.
There are a number of different 2FA options to choose from, but using a separate authenticator device or U2F security key is by far the best way to keep accounts safe.
5. Don't reset passwords too frequently
No worker enjoys regularly updating their password. What's more, requiring them to do so frequently results in the creation of unimaginative, hackable passwords.
Because of this, NIST warns businesses against making users reset passwords too frequently. This may sound counterintuitive, but according to the agency, it's the best way to combat password fatigue by keeping the quality of codes strong throughout your organization.
6. Let users copy and paste passcodes
Password pasting has a bad rep. It's commonly understood to be antithetical to password security. But as the UK's National Cyber Security Center found, it rarely poses a direct threat to companies.
In fact, letting users paste codes across platforms has actually been shown to improve security by reducing errors and making it easier for users to follow correct password hygiene. This is consistent with NIST's latest guidelines, which tell companies that users should be able “to use ‘paste' functionality when entering a [password].”
Simple Password Tips for Workers
Unsure about what constitutes a strong password in 2023? Read on for some simple, fuss-free tips.
1. Consider using a passphrase
Generally speaking, the longer the password, the more secure. So, while NIST advises businesses to institute eight-character minimums, using passphrases, which range from eight to 16 characters, is a much more effective way to keep your account safe. What's more, since passphrases break up characters with a spacebar, they're generally easier to remember too, so it's a win-win!
2. Avoid dictionary words
Simple words are easier to crack. Because of this, NIST warns users against using codes that contain dictionary words, or simple number sequences like 123456 or 111111.
As a general rule, it's good to get creative. While users should stay clear of simple words like “password,” “monkey,” or “apple,” they're welcome to use variants of the words like “P@s5worD,” “M0nK3Y,” or “@Ppl3,” as long as they're still long enough to meet your character minimum.
3. Avoid names
While it might be tempting to create passwords modeled off the names of loved ones, pets, or celebrity figures, passwords including names are considerably easier to hack. In fact, research from Cybernews revealed that the names Eva, Alex, and Anna consistently rank as some of the most commonly hacked codes.
To make your password less prone to attack, we advise avoiding the names with special characters and numbers as we outlined in the step above.
4. Don't reuse passwords
Even though most of us are doing it, reusing the same password across multiple accounts makes you a great target for lurking threats. This is because once a hacker cracks one of your passwords, they are then able to gain access to a variety of your online accounts.
Coming up with a distinct password that adheres to password requirements for each platform you use is no easy feat. But fortunately, you don't have to store them and remember them yourself.
5. Use a password manager
Using a reliable password manager is by far the easiest way to look after your password and data hygiene in 2023.
Instead of keeping mental or physical tabs on all your codes, this solution stores all your passwords for you, making it easier for users to deploy long and complex codes that stand the best chance of protecting your accounts.
Password managers can be tasked with generating strong, impenetrable codes too, helping to significantly ease cases of password fatigue.
But with so many options to choose from, you want to make sure you move forwards with the right tool. NordPass is our favorite password manager, because of its user-friendly design and handy features, but we present some other great alternatives in our table below: