1 – Passwords should be at least 8 characters minimum and must contain complexity (use at least 1 number, 1 upper case character, and 1 special character)
2 – Passwords should be changed every 90 days
3 – Contain limitations on re-use, usually something like 6 password changes before re-use allowed
The above recommendations were based mostly from an original set of guidelines posted by the National Institute of Standards and Technology (NIST) many years back and they have remained the gold standard until recently.
Given the thousands of data breaches that have occurred over the past several years NIST set about to review their recommendations and in June 2017 released updated recommendations via NIST Special Publication 800-63B – Digital Identity Guidelines.
In this document NIST concluded that password length, not complexity, was the primary factor in password strength. And they found that when forced to add complexity to a password or change it frequently users tended to behave in very predictable ways.
If my original password were “password” to accommodate the complexity requirements most users would simply change it to “Password1!” When it came time to change it they would simply change it to “Password2!”, “Password3!”, etc.
The bad actors know this behavior and their dictionary attacks on passwords include all these obvious predictable variations of common dictionary words used most often as passwords.
And if we forced users to create even more complex passwords or change them frequently they tended to just simply write them down someplace near their computer.
To avoid all those problems and to add length into the password selection process the new recommendations suggest having users focus on passphrases rather than passwords, making their passcodes more like sentences than dictionary words. This will help blunt simple brute force dictionary attacks. Users can then add some reasonable complexity components inside those phases to increase the passphrase strength.
Although there is still some industry discussion going on the new NIST guidelines on passwords now look like this:
1 – 8 character minimum with at least a 64 character or more maximum passphrase length
2 – Simplify complexity requirements, but allow all ASCII characters, emojis and spaces in passphrases
3 – Eliminate mandatory period password changes. Change passwords only when there is some evidence or suspicion of compromise.
4 – Ban commonly used passwords and simple dictionary word passwords
5 – Use multi-factor authentication wherever reasonable to protect the most sensitive systems
It’s going to take some time for all the vendors to take these new recommendations into account in their software and I also know it will take some time for the auditors to get caught up with all of these. I have worked with some of you on audits since June 2017 and the review requests are still using the old guidelines so for now we will need to speak to both sets of rules.
But I believe these newer recommendations do address many of the concerns our users (and we) have expressed about the old recommendations over the years. If properly implemented I think the new recommendations will move password security forward in a positive way until someone figures out a better way and eliminates the “memorized secret” entirely.
While it make take a while for you to able to fully change the password policy for your organization its not to soon to begin talking about these new recommendations and beginning to implement them where and when you can.
For those that want to do some light reading, the full NIST document can be found here.
Most of the discussion on password strength is in the appendix at the end of the document.
As always stay tuned for more, as the discussions on this topic will continue to evolve.