Times have changed and the NIST has updated their password recommendations to meet today’s challenges.
With the rise in hacker abilities and the continuing advancements in technology, it’s important to keep up with the best practice recommendations regarding passwords and security. The National Institute of Standards and Technology has updated their password guidelines and the standard generally considered password guidelines are no longer the recommended norm.
The commonly used password guidelines include: forcing users to change passwords frequently, requiring new passwords to vary from previously used passwords, and only allowing complex passwords that are composed of both upper and lower case alphabetic characters, numeric characters, and special characters to be used.
Here’s how the NIST recommends companies change their password allowances and requirements and how users should change their password to keep them more secure.
One of the most striking revised guidelines is in regards to complexity. What the change in recommendations translates to is that the complexity of a password doesn’t necessarily equal password strength. For instance, there are numerous ways to make the word ‘password’ into what would pass a system check for a complex password, but P4$$word, passw0Rd!, and p@ssword1234 don’t create enough of a dynamic password to keep a hacker from easily gaining access to your account, should they be interested in obtaining your confidential financial or personal data.
Organizations can support users’ selection and use of better passwords by encouraging the use of longer passwords and allowing the use of password managers throughout their organization. The number of passwords that a single user now has to remember for all of their different accounts and devices may cause them to not wish to have to remember a complex password, thereby creating something simple and easy to remember when creating a password. Allowing users to simply unlock their password manager with one central password, then allowing the password manager to handle supplying the passwords automatically for the rest of the programs they need, allows the user to create complex passwords that they’re not worried about having to remember.
The NIST suggests that passwords of at least 64 characters should be allowed and encouraged. Some legacy systems may not support that length of password, furthering the need for users to truly create the longest and most complex passwords that their system will allow in order to keep accounts secure.
Another potential weakness that the National Institute of Standards points out in their guidelines is the use of hint questions to allow users to recover forgotten passwords. With the high level of personal data now shared readily on social networking sites, and the low quality of hint questions required by companies to retrieve a password, it doesn’t add the extra barrier of security that firms implementing the use of password hints believes that it does. The NIST advises stopping the use of hint questions as a means to help users recover account access.
Lastly, another one of the changes that sticks out in the revised guidelines is the forced regular change of passwords. It’s been well documented that the average user when forced to change a password will simply type in their regular password and add a 1 to the end. That practice of replacing a password with a password with a slight change negates the effectiveness of changing the password at all. It is much more effective to encourage lengthy and complicated passwords and allow the user the use of a password manager, or to copy and paste their password into the field from another location.
The National Institute of Standards has published a four-volume Digital Identity Guidelines document suite online. Please follow the link below to read and/or download the full listings of updated guidelines from the NIST government website.