NIST Password Policy Updates
Did you know…
- Complex password requirements actually lend to vulnerability
- Create more work for IT teams
- Frustrate users, reduce productivity and compliance
In December 2022, NIST began updating NIST SP800-63 Digital Identity Guidelines. The final review was initiated in August 2024, with a deadline of October 7, 2024 for all comments. The special publication is still in draft form, with a final version pending.
Multiple referenced studies yielded the same results, primarily regarding entropy for length, complexity, and user experience. It may be surprising that complex passwords are not the best recommendation. The length of the password, a minimum of 15 characters, has the highest entropy, or rate of compromise.
NIST guidelines, per research and feedback, can be summarized in 5 key takeaways:
- Increase password length from a minimum of 8 characters to the recommended 15+ characters
- Remove mandatory complexity rules (such as special characters)
- Screen for breached or weak passwords
- Eliminate password expirations unless compromised
- Use multi-factor authentication (MFA) and encourage password managers
User frustration and productivity are improved when barriers to getting the job done are removed. These changes also reduce the workload on IT teams by constantly having to reset forgotten passwords.
Why?
The longer the password, the more difficult it is to crack; bad actors will abandon the effort for easier targets.
Requiring specific password composition is highly predictable; for example
Basic eight-character requirement:
Require a capital letter:
Require a number:
Require a special character:
password
Password
Password1
Password1!
Screening for passwords already compromised or matching dictionary entries minimizes the need for changes later.
User frustration and productivity are improved when barriers to getting the job done are removed. These changes also reduce the workload on IT teams by constantly having to reset forgotten passwords.
Utilizing MFA adds depth of security.
Here are a few examples of sites I visited this week:
Interesting requirements. What would you change to make them more secure?
Everyone knows their most secure password!
At a recent AITP RTP meeting, guest speaker Jeff Torello discussed the new password guidance. He presented a relatable approach to generating long passwords or passphrases. Everyone has a favorite song, poem, or verse they have known most of their life. It doesn’t require writing it down or extra memorization.
His example:
icgnsicgnscitaitaitaiticgnicgn
Any guesses? Sound familiar?
I can’t get no satisfaction
I can’t get no satisfaction
‘Cause I try and I try and I try and I try
I can’t get no, I can’t get no
Simply using the lyrics is as effective as using the first letter of each word – remember, length is key! (I don’t recommend using this song, though)
What’s in it for you?
A more secure environment has tangible benefits.
Fewer compliance issues with standard policies.
Quantifiable cost savings. Quantifiable time savings. Quantifiable productivity.
The average firm spends $5.2 million a year setting and resetting passwords. Employees lose 11 hours a year resetting passwords. About 40% of helpdesk calls are for password assistance or resets.
https://blog.hypr.com/how-much-does-a-password-reset-cost
No organization or individual is immune to bad actors; do not wait until tomorrow – you may not have access.
Reach out today for your copy of the ultimate password policy or to discuss how you can start changing your policies.
References from NIST SP800-63 Digital Identity Guidelines Call for Comments on Second Public Draft of Revision 4
https://users.ece.cmu.edu/~lbauer/papers/2011/chi2011-passwords.pdf
https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=6234434
https://dl.acm.org/doi/abs/10.1145/1866307.1866327?download=true
Other References