It’s probably time to rethink your approach to passwords. If you’ve been requiring complex rules for new passwords and frequent password changes, you might be doing things all wrong. Such practices may no longer be the most effective, according to the National Institute on Standards and Technology. NIST is currently finalizing changes to its password guidelines, changes that break with several common approaches to password security.
The new guidelines come against a background of ever increasing user credential breaches, such as Yahoo’s epic 2014 hack, which saw some one billion accounts compromised. Last year alone, more than three billion of user credentials were stolen by cybercriminals.
Getting Rid of Password Practices That Don’t Work
It’s a frustration we’re all probably familiar with: You’re unexpectedly signed out of an account, such as your email or office messaging app or HR website. You can’t remember which password works, so you start entering your standards -- and if your organizartion requires you to reset passwords every few months, you soon rack up quite a list of standards. For many, these may be just slight variations of each other: NewPassword911, or N3wPassw0rd911, or N3wPa$$wierd2.
Eventually, you throw your hands up in frustration and just reset the account. After reminding the computer of you mother’s maiden name and your high school mascot, you create a new code, only to be told: “Sorry, your new password can’t be the same as your previous one.”
Under NIST’s draft guidelines, this might might become a slightly less frequent occurrence. The guidelines move away from the frustrating, and frustratingly common, password requirements that have become a feature of the modern workplace. As InfoWorld’s Fahmida Rashid, writing about the guidelines, notes:
When most credentials-based attacks no longer bother with brute-force methods, relying on password complexity doesn't really help. When attackers can discover the actual password string via keyloggers, phishing, or other social engineering tactics, it doesn't matter how complex the string is. Attackers can harvest credentials directly from the domain controller while moving laterally through the network, look up passwords from previously breached databases, or intercept passwords transmitted in plaintext.
And don’t forget that many data breaches are “inside jobs.” A 2015 study by Baker Hostetler, for example, found that 36 percent of data breaches could be attributed to employee negligence, while another 16 percent were caused by insiders stealing data. Byzantine password requirements aren’t going to be able to protect against malicious insiders if they drive employees to keep a list of common PWs taped to their monitors.
What's Hot and What's Not in SP 800-63-3
The NIST guidelines, known as Special Publication 800-63-3, could spur significant changes in how legal and business professionals approach password management and other digital identity and authentication issues. Though the guidelines act as technical requirements for federal agencies alone, they are highly influential in the private sector as well.
So, what’s getting thrown out? According to Rashid:
- Having special composition rules on creating strong passwords (such as requiring both uppercase and lowercase characters, at least one number, and a special character)
- Requiring routine password changes for the sake of changing them; passwords should be changed only when there is a risk of compromise
- Password hints and knowledge-based questions, such as the name of the first pet, the mother's maiden name, or the high school mascot, as social media and social engineering have made it easy for attackers to use these pieces of information to bypass passwords
The first two changes should help reduce password glut, and thus desktop password Post-its. The third should make accounts harder to hack. The information demanded by many account security questions (your first pet’s name, where your father was born, and the like) often isn’t hard for a dedicated would-be-intruder to figure out. Further, once that information is compromised through a data breach, it can’t be easily replaced -- unless your mother is willing to go back and change her maiden name.
In their place, NIST recommends several changes to improve password security. Again from Rashid:
- Users should be able to choose freely from all printable ASCII characters, as well as spaces, Unicode characters, and emojis
- Increase the minimum length of passwords to eight
- Check passwords against blacklists of unacceptable credentials, including previously breached databases, dictionary words (monkey), common passwords (letmein), and passwords with repeating or sequential characters (pass123)
- Lock accounts after several incorrect attempts to login
- Hash passwords with a salt when storing passwords to prevent cybercriminals from acquiring passwords that are stored in plaintext or with weak hash algorithms
Yes, in the future, you passwords could include a 😉 or 🚀, which, frankly, is pretty 🔥🔥🔥.
Multi-factor authentication also gets significant promotion under the new guidelines. This involves more than one authentication factor for access. Authentication factors fall into three categories, according to NIST: something you know, like a memorized password; something you have, such as a ID badge; and something you are, as in your biometric data.
Most of us are familiar with multi-factor authentication through things like a texted one-time verification code that must be entered in order to access an account. But NIST has recommended against one-off SMS messages for two-factor authentication. Instead, you might consider using verification code generators like Google Authenticator. Such apps can generate both their own complex passwords and one-time codes for third-party applications.
So, get ready to tweak your approach to passwords. Hopefully it’ll mean a bit less frustration and a bit more security.
This post was authored by Casey C. Sullivan, Esq., who leads education and awareness efforts at Logikcull. You can reach him at casey.sullivan@logikcull.com or on Twitter at @caseycsull.
