At uCheck, we take our clients’ security very seriously – that’s why we’re always striving to improve the way we look after your data.
With this in mind, we’re updating the way we handle password management in line with industry best practice. Read on to find out how we’re changing things.
What’s changing?
Initially, we’re removing the requirement for passwords to be reset every 90 days.
We also intend to strengthen our existing multi-factor authentication (MFA) option in the near future.
MFA is a login method that requires users to provide two or more authentication factors – our system currently uses a password combined with a code sent by email.
When we update our MFA, we plan to introduce the use of an authentication app.
We also plan to implement a ‘show password’ option in due course.
Why are we making these changes?
We want our online system to be as good as it can be, and our users’ password security is very important to us.
We’re making these changes in line with the U.S National Institute of Standards and Technology (NIST) password guidelines.
NIST is part of the U.S. Department of Commerce. Its password guidelines (found in NIST Special Publication 800-63) are a requirement for U.S federal agencies, and many experts consider them the gold standard in password security.
When it comes to security, we’re committed to staying in line with industry best practice – that’s why we’re using the NIST guidelines as a baseline for our password management.
What do the NIST password guidelines say?
The NIST password guidelines make a number of recommendations relating to password creation, authentication and storage.
The changes we’re making are in line with the following recommendations:
Remove periodic password resets
As many companies do, we previously required users to reset their passwords every 90 days in an effort to keep them secure. However, the NIST have now found that frequently changing your password can actually be worse for security.
Users often have multiple passwords to remember. In fact, a 2020 study found that the average internet user has around 100 passwords.
All those passwords can be difficult to remember, so users often end up changing them in predictable patterns, such as adding or replacing a single character.
This makes it easy for hackers to guess the new password if they know the old one. Because of this, the NIST guidelines recommend that periodic password reset requirements should be removed.
Use multi-factor authentication
We already use MFA, as recommended by the NIST guidelines, but we intend to strengthen our existing system.
Enable a ‘show password’ option
It’s easy to make mistakes when typing in your password, and if the characters are hidden, you may not know where you’ve gone wrong. This encourages users to choose shorter passwords that they’re less likely to trip up on.
The NIST guidelines state that the longer the password, the more secure it is. Enabling users to see their password as they type it means they’ll be more likely to choose a longer, more secure password without worrying about typos.
If you’d like to know more about the changes we’re making, or have any other questions, please don’t hesitate to get in touch – we’re always happy to help.