An easier, more secure, and more compliant way to manage passwords

Featured image

Share this article

An easier, more secure, and more compliant way to manage passwords

It’s a common belief that you need passwords  that are minimum length and have a mix of capital, lowercase letters, numbers and symbols (like: [email protected]!) and reset them every 3-4 months in order to be in-step with security best practices.

But those best practices are actually outdated, and the author of those rules actually backtracked on those recommendations.

The United States National Institute for Standards and Technology (NIST) has since released new guidelines that actually state the opposite of those old rules.

Here are the new best practices as outlined by new research and guidelines from NIST itself.

Why the change of password recommendations?

The primary reasons the recommendations have changed are all related to one thing: humans.

This article by CSO goes into more detail, but basically research analyzing multiple large breaches revealed that the effectiveness of passwords created by old guidelines weren’t effective.

In order to try and “remember” passwords for multiple portals, applications and software, the research revealed people would make predictable substitutions when creating passwords. For example, switching “@” for “a” and “!” for “l”.

This becomes more of an issue when you force users to change passwords every 3-4 months as it creates a need for users to use predictable substitutions they can remember. Or worse yet, users will write down passwords on sticky notes.

In fact, NIST specifically states you SHOULD NOT impose passwords should be changed arbitrarily (e.g., periodically).

Thankfully, there’s better ways to manage strong passwords that favor the user and is inline with NIST’s new guidelines.

Escaping password hell: A better way to manage passwords

As the CSO article insightfully articulates – creating strong passwords is simply not a job for humans.

Instead randomly generated sequences of letters, numbers and symbols at least 8 characters long are the most effective. But how do you manage random passwords?

By using Password Managers.

In their new guidelines, NIST specifically encourages the use of password managers, which in many cases increases the likelihood that users will choose stronger passwords.

At Paubox we require all employees to use LastPass as a password manager, but there are other great products like 1password.

Is the use of password managers HIPAA compliant?

Yes!

You won’t be storing any PHI in a password manager, so you don’t have to worry about compliance there. You also should conduct due diligence when choosing a password manager to make sure their storing your data securely.

But as part of your HIPAA compliance program, it’s absolutely ok to use a password manager. HIPAA does not get into specifics with authentication and password management, but they often reference NIST guidelines and we now know where NIST stands.

Key takeaways on managing passwords

  • Use a password manager. Require your team to start using one in order to enforce the rest of these rules.
  • Require random passwords of at least 8 characters. Some password managers have a feature that will generate these passwords.
  • Eliminate composition rules like “Your password must contain one lowercase letter, one number, a symbol, and your favorite color.”
  • No more expiration without reason. The best rule as recommended by NIST, get rid of periodic expirations. If you set a strong password once, there’s no reason to change it unless it is compromised.
Try Paubox Email Suite for FREE today.
Author Photo

About the author

Rick Kuwahara

Rick Kuwahara is COO and Chief Compliancy Officer for Paubox.

Read more by Rick Kuwahara

Get started with
end-to-end protection

Bolster your organization’s security with healthcare’s most trusted HIPAA compliant email solution

The #1-rated email encryption 
and security software on G2

G2 Badge: Email Encryption Leader Fall 2022
G2 Badge: Security Best Usability Fall 2022
G2 Badge: Encryption Momentum Leader Fall 2022
G2 Badge: Security Best Relationship Fall 2022
G2 Badge: Security Users Most Likely to Recommend Fall 2022
G2 Badge: Email Gateway Best Relationship Fall 2022
G2 Badge: Email Gateway Best Meets Requirements Fall 2022
G2 Badge - Users Most Likely to Recommend Summer 2022
G2 Badge: Email Gateway Best Results Fall 2022
G2 Badge: Email Gateway Best Usability Fall 2022
G2 Badge: Email Gateway Best Support Fall 2022
G2 Badge: Email Gateway Easiest To Use Fall 2022
G2 Badge: Email Gateway Easiest Setup Fall 2022
G2 Badge: Email Gateway Easiest Admin Fall 2022
G2 Badge: Email Gateway Easiest to do Business with Fall 2022
G2 Badge: Email Gateway Highest User Adoption 2022
G2 Badge: Email Gateway High Performer Fall 2022
G2 Badge: Email Gateway Momentum Leader Fall 2022
G2 Badge: Email Gateway Most Implementable Fall 2022
G2 Badge: Email Gateway Users Most Likely to Recommend Fall 2022