The US National Institute of Standards and Technology (NIST) has some surprising recommendations that might prompt you to rethink your business’s password policies. Learn why change is needed and what NIST is recommending that companies do.
It’s time for a pop quiz. Is the following statement true or false?
It is best for businesses to require that employees create long, random passwords that include mixed-case letters, numbers, and symbols.
For a long time, the prevailing belief was that this statement was true, so many companies included composition rules in their password policies. However, the US National Institute of Standards and Technology (NIST) now believes these rules are hurting rather than helping businesses.
In a perfect world, employees follow their companies’ password policies and create long, random passwords that include mixed-case letters, numbers, and symbols. The passwords are strong and thus much harder to hack. However, these complex passwords are also much harder to create and remember, especially if employees are required to frequently change their passwords. As a result, in the real world, employees tend to create shorter passwords and often use tricks such as letter substitution. For example, they might use a zero for the letter “o” and an @ sign for the letter “a” to create passwords such as “MyP@ssw0rd”. Cybercriminals know these tricks, so passwords like “MyP@ssw0rd” are far from strong, even though they contain mixed-cased letters, symbols, and numbers.
Because of these issues, NIST now recommends that organizations follow different password practices. They include using passphrases, eliminating periodic password changes, and validating passphrases.
Instead of forcing people to create complex passwords that include numbers, symbols, and mixed-case letters, NIST recommends using “memorized secrets” — passphrases that are simple, long, and easy to remember.
When creating memorized secrets, people do not have to follow any composition rules. They can use any characters they want (including spaces), as long as the passphrases are very long. Longer passwords are cryptographically harder to break than shorter ones, even if the shorter ones include special characters, according to Paul Grassi, a senior standards and technology advisor at NIST.
Plus, passphrases without special characters are much easier to remember. For example, “potbellied puppies rule” is more memorable than “mN8b%Rc7”. Plus, “potbellied puppies rule” is much harder to crack. On an average computer, it would take more than 10,000 centuries to hack using a brute-force password-cracking tool, according to Kaspersky Lab’s password strength checker. Even the shorter passphrase “potbellied puppies” would take 11 centuries. In contrast, it would take only 12 days to crack “mN8b%Rc7” and just 3 minutes to hack “MyP@ssw0rd”.
While the passphrase needs to be something that the creator will readily remember, other people should not be able to guess it. For example, an employee should not create a memorized secret consisting of family members’ names. This information often can be gleaned from publicly available data sources such as social networking sites.
Plus, it is important to keep in mind how many passphrases employees will need to remember. Having to remember a bunch of them might prove difficult, prompting some people to write them down. A better option would be to use a password manager. Employees could create and use a passphrase to access the password manager and then use the tool’s random password generator to create strong passwords for their business accounts.
Eliminate Periodic Password Changes
While guidance from agencies such as NIST has changed on this issue, many audit firms still recommend periodic password changes. We can help you navigate the complexities associated with password policies, and set you on a course that satisfies your regulatory compliance requirements.
Businesses often require employees to change their passwords periodically (e.g., every 90 days). NIST recommends that this practice be eliminated. Here’s why: An expired password usually does not motivate people to create a brand new strong password, according to Grassi. Instead, it motivates them to change a few characters in the old password or follow the next logical progression in a password system they developed. Frequent password changes can also compel people into using another account’s password so that they have one less password to remember. All of these actions can result in weak passwords.
The bottom line is that memorized secrets should not have an expiration date. The only time a passphrase needs to be changed is if it has been compromised or an employee requests a change.
NIST recommends that organizations validate passphrases when people initially create or change their memorized secrets. After an employee enters a new passphrase, it should be checked against a list of passwords known to be compromised, expected, or commonly used. If the employee’s passphrase is on the list, the validation system should reject it and prompt the employee to enter a different one.
Each company needs to determine what to include on the list. For instance, the list might include the following:
- Passwords exposed in known data breaches (e.g., entries in the Pwned Passwords database).
- Passwords consisting of repetitive characters (e.g., “zzzzzzzzzzzzzzzzzzzzzzzzz”)
- Passwords consisting sequential characters (e.g., “123456890987654321” or “qwertyuiop”)
- Passwords containing context-specific terms (e.g., a username or email address)
Not Sold? There Are Other Options
NIST’s recommendations represent a significant divergence from current password practices. If you are not sold on the proposed changes, there are other ways to mitigate the risks brought about by weak passwords. For example, you might consider using two-step verification. We can go over all your options and help you implement the solution you feel is best for your business.