With the recent news that Bill Burr, who originally wrote the guidelines for government employees password polices that influenced the business world too, now regrets those complexity standards he developed businesses are now left to decide how they should handle these new standards.
NIST released a draft of its guidelines for review last year, and this summer, released the final version. It’s a four-volume document, written, as Fortune describes, “in turgid bureaucrat-speak.” We’ll save you the trouble of wading through it and highlight some of the biggest changes from the password best practices of the past.
1. “Complexity” Is Out; Length Is In
For years, conventional wisdom said that adding special characters like numbers and symbols to passwords made them more difficult to crack. Hackers have realized, however, that most people choose common substitutions for letters in the alphabet (“3” for “E” or “!” for “I”), rendering special characters ineffective.
Also, as one expert tells Kaspersky Lab’s Threatpost, “Users need to remember these passwords and if they’re overly complex or if they change too frequently, users will resort to writing them down,” defeating their purpose as secrets.
Long passphrases, using regular words and spaces, are both easier to remember and more secure. The popular webcomic XKCD devoted an outing to proving the password “Tr0ub4dor&3” is much easier to crack than the phrase “correct horse battery staple.” The comparison wasn’t even close: 3 days versus 550 years.
NIST recommends allowing passwords to be at least 64 characters long (including spaces) to allow for long, easy-to-remember phrases.
2. Periodic Changes Are No Longer Necessary
Unless you have reason to suspect your password has fallen into the wrong hands (such as through a phishing scam) there’s no reason to change it, experts now say.
Researchers at the University of North Carolina found that, when workers are asked to change their passwords every 60 or 90 days, most simply “transform” it, tacking on a few exclamation points, for example. This is enough to comply with company policy, but it doesn’t make a password any more difficult to guess.
A Carleton University study found that, even if users altered their passwords entirely, it still wouldn’t have much of an effect.
“The Carleton researchers demonstrate mathematically that frequent password changes only hamper such attackers a little bit, probably not enough to offset the inconvenience to users,” explained password expert Lorrie Cranor.
3. You Need Your Own Blacklist
The cyber-criminal’s most powerful tool these days is a massive database of common passwords (“password1”), dictionary words, and passwords that have been cracked in the past. NIST recommends you arm your organization with the same thing. These systems are new and may not be available for all on-premise and cloud services you use but they will in the not to distant future.
In its new guidelines, NIST says to perform a mandatory check of all new passwords against:
- “Passwords obtained from previous breach corpuses.”
- “Dictionary words.”
- “Repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’).”
- “Context-specific words, such as the name of the service, the username, and derivatives thereof.”
Furthermore, NIST says, when a user’s password is rejected for matching something on the “bad password” list, make sure the user understands why.
How to Comply With the 2017 Password Best Practices
As you’ve probably realized by now, the new NIST guidelines represent a seismic shift away from some of the most commonplace password security practices, such as changing passwords periodically and requiring a certain degree of complexity.
To get your organization on board, you have to start from the top, explaining to management that you are strengthening your company’s security, not weakening it. Then you have to change deeply-ingrained habits among your users, getting them to use longer passphrases, rather than short words with a variety of characters.
You also have to build your password blacklist. Tools like two-factor authentication and password management software can also help shore up your security without inconveniencing your team.
To do all this, it helps to have an expert partner. When they can’t keep up with the pace of change in the data security field, many companies turn to outsourced IT providers to help implement the latest best practices. Learn more about how an outsourced IT provider can help your business in our free ebook, “The Ultimate Guide to IT Outsourcing.”