NIST proposes barring some of the most nonsensical password rules

October 7, 2024

The password is the foundation on which all computer security rests. In the decades since its introduction, there have been many debates over how to form the best password, how often to change it, and how to store it. One of the most common policies that has come out of that debate is the policy of mandating regular password changes, typically every one to three months. Critics have opined that this policy actually makes passwords weaker rather than stronger, forcing employees to choose weaker passwords they can remember, and are easily guessed. Another common policy, that of mandating the use of special characters, is criticized for the same reason.

The US National Institute of Standards and Technology has come to agree with these critics. In its latest public draft of SP 800-63-4, the Digital Identity Guidelines, a new set of technical requirements and recommended best practices for password management. Compliance with these requirements is mandatory for any organization interacting with the federal government online. These policies constitute both what organizations must do, what they must not do, what they should do, and what they should not do. For instance, under these new regulations, organizations must impose a minimum password length of eight characters but should impose a minimum password length of 15 characters.

These regulations mandate that verifiers and CSPs (credential service providers) must not impose composition rules requiring mixtures of different character types, and must not require mandatory periodic password resets (however, if the authenticator is compromised, they must impose a reset). Further, these entities must not utilize password hints accessible to unauthenticated claimants and must not use authentication based on knowledge-based security questions. These requirements have forced the creation of passwords that are harder for individual users to remember and easier for threat actors to guess, and their termination will likely lead to more secure passwords.

Although this policy is exclusive to the US government and organizations that do business with it, it should be recommended universally as a new set of password standards. As a general principle, users should make use of randomly generated long-length passwords stored in a password manager, or use long pass-phrases that are easy to remember, but difficult for threat actors to crack using computers.

More from Blackwired

October 14, 2024

SOC teams are frustrated with their security tools

SOC teams face noise from security tools, with only 16% of alerts being genuine. AI tools are increasingly adopted to improve efficiency.

Read more
September 30, 2024

Don’t panic and other tips for staying safe from scareware

This social engineering tactic convinces users they are compromised, urging them to download malware disguised as antivirus software.

Read more
September 23, 2024

What is Cross-Site Scripting and How to Prevent it?

To mitigate risks, enterprises should monitor vulnerabilities, deploy rapid patches, and use trusted libraries for HTML sanitization.

Read more

© 2024 Blackwired. All Rights Reserved.