Passwords are the touchstone for securing access to sensitive data—both personal and professional. They are the main defense against computer hackers, protecting our identities on websites, e-mail accounts and more. They are also used for bank transactions and making secure purchases. With all of this sensitive data at stake, creating good passwords is extremely important.
Hackers typically try to break into a computer or secure account either by guessing passwords one at a time or using an automated tool to repeatedly guess passwords from a database of common words or other information. Even the best passwords can be conquered with enough time, skill, and computer processing power. This means a strong password is vital to prevent attacks by less determined hackers, and buy time by sending up red flags that can help catch hackers in the act.
The problem, though, is that users often find passwords cumbersome, have trouble remembering them, and try to make them simple while using them over and over again. For example, a 2010 study found that users will simply capitalize the first letter of their password and add a “1” or “!” to the end, making the password no harder to crack since hackers have identified and expect these patterns. And in 2016, Experian found that millennials had, on average, 40 services registered to a single email account, and only five distinct passwords.
To combat some of these issues, the National Institute of Standards and Technology (NIST) recently released new password guidelines. A non-regulatory federal agency, NIST produces guidance documents and recommendations that often become the foundation for best practice across the security industry and are incorporated into other standards. They are essentially the rule of the thumb that most of us in IT live by.
In their latest revision of Digital Identity Guidelines (SP 800-63-3), NIST calls for taking a more user friendly approach to password requirements. This includes not requiring periodic password changes and modifying password complexity rules. Many see these guidelines as a stark contrast to previous recommendations, and while they do vary somewhat, they really aren’t much different from what we here at M.A. Polce Consulting currently train end users on.
So what does this mean for you and your end users? Let’s break down the new guidelines to see what they really mean.
The key principals in NIST’s new standards for password complexity are:
- Passwords should be a minimum of 8 characters and a maximum of at least 64.
- Every new password should be checked against a “blacklist” that can include dictionary words, repetitive or sequential strings, passwords taken in prior security breaches, and variations on the site name.
- Don’t use password hints or knowledge-based authentication. With the constant dissemination of personal information on social media or through social engineering, the answers to such questions or hint prompts can be easy to find.
- Limit the number of password attempts. There is a noticeable difference between the number of guesses a typo-prone user needs and the number of guesses an attacker needs, so there’s no reason not to include a cutoff or delay.
- Use a passphrase. Using a phrase or string of words will help create longer passwords that are harder to break and easier to remember.
- Do not require password resets unless there is reason to suspect compromise.
NIST’s premise that incorporating variety and utilizing a longer password will be more secure is spot on. Passphrases and a longer password length are something we believe strongly in and seek to educate users on. A 21-character password with upper, lower and special characters would resist a brute force cracking attack for about 1 quintillion years. The goal of moving users away from the methodology of shifting just one character in a password that may consist of one short word is one that we wholeheartedly embrace.
Making users reset their passwords every few months is a classic security measure. The thinking is, any unauthorized person who obtained a user’s password will soon be locked out. And while this is true, NIST found that frequent mandatory password resets can actually make security worse. It’s hard enough to remember one good password a year. When users have to create new passwords regularly, they tend to make them weaker from the start.
The overall concept behind these new standards is that easier and more convenient security for users will translate to more people taking proper security precautions. Bottom line is, setting a firm password policy in your organization and using technical controls to implement them is the first step to securing your network. Educating your users on the policy as well as basic principles like password storage is crucial in today’s threat landscape.
How will you implement these new standards? Let us know today!