Is Your Organization Still Using Outdated Security Practices?

Almost all companies used to adhere to a practice of resetting passwords quarterly, believing that passwords needed to be refreshed continually. For security practitioners, this practice caused almost as many problems as it supposedly solved. Password resets were disruptive, locking out users and disabling services. Users would forget newly established passwords, write them out on paper, leave them out in the open, or recycle older passwords that were no more secure than the updated ones.

Fortunately, common sense finally prevailed. Numerous security practices, including mandatory password resets, have been updated by the National Institute of Standards and Technology (NIST) to combat evolving threats and to address the ineffectiveness of outdated methods. Key areas that have undergone significant updates include authentication, identity verification, data protection, and general risk management.

Outdated authentication and identity verification

• Use of SMS for multi-factor authentication (MFA): The practice of sending one-time passcodes via SMS text message is no longer considered a strong security method due to its vulnerability to SIM-swapping attacks and interception.

Updated guidance:

NIST now recommends more robust, phishing-resistant forms of MFA, such as authenticator apps (e.g., Google Authenticator, Microsoft Authenticator) or physical hardware keys (i.e., passkeys), especially for high-value accounts.

• Knowledge-based authentication (KBA): Relying on "secret questions" like "What was your mother's maiden name?" for account recovery is outdated and insecure. The answers to such questions can often be found through social media or other public information, making KBA susceptible to social engineering attacks.

Updated guidance:

NIST recommends more secure account recovery protocols that use separate, trusted channels, such as email-based verification or multi-channel authentication (e.g., logging into a trusted app on your phone).

• Mandatory, periodic password resets: Forcing users to change their passwords every 60 or 90 days was once a common practice. However, this often leads users to create weaker, more predictable passwords (e.g., "Password123" changed to "Password124") or to write down their password.

  
  

Updated guidance: Resets should only be required when there is evidence of a potential breach or compromise. Focus is instead placed on implementing better detection and using longer, unique passwords.

Outdated data protection methods

• Weak password hashing: The practice of storing hashed passwords using weak, outdated cryptographic algorithms (e.g., SHA-1), or failing to properly "salt" the hashes, makes them vulnerable to brute-force and offline password cracking attacks.

  
  

Updated guidance: NIST recommends using the SHA-2 or the SHA-3 family of hash algorithms. SHA-1 is unfortunately a widely proliferated algorithm, so NIST is recommending all organizations to move away from that standard by the end of 2030.

• Encryption algorithms: NIST continuously updates and retires cryptographic algorithms as they become vulnerable to new attacks or as computing power advances. For example, the upcoming threat of quantum computing has prompted the development of new, quantum-resistant encryption standards.

  
  

Updated guidance: In August 2024, NIST finalized its first set of post-quantum encryption standards and encourages organizations to begin transitioning to them.

• Lack of encryption for data at rest: Not encrypting sensitive data when it is stored on a device or server is a significant security vulnerability.

  
  

Updated guidance: Modern rules require the encryption of all customer information, both in transit and at rest.

Outdated system and network management

• Ineffective logging and monitoring: Relying on static, intermittent methods is insufficient to detect modern cyber threats.

  
  

Updated guidance: NIST-aligned practices now emphasize continuous, unified collection of log data from endpoints, networks, and the cloud.

• Generic vendor-supplied defaults: Failing to change default usernames and passwords on new devices and systems creates an open door for attackers.

Updated guidance: NIST mandates that organizations change or turn off vendor-supplied default credentials immediately.

• Legacy access control models: Some older access control models grant permissions based on broad rules or static roles.

Updated guidance: Newer standards favor a Zero Trust architecture, which dictates that no user, system, or device should be trusted by default, and access must be verified continually.

Need a helping hand to update your security practices? Click below for a no-obligation, free consultation.