NIST proposes barring some of the most nonsensical password rules

October 7, 2024

The password is the foundation on which all computer security rests. In the decades since its introduction, there have been many debates over how to form the best password, how often to change it, and how to store it. One of the most common policies that has come out of that debate is the policy of mandating regular password changes, typically every one to three months. Critics have opined that this policy actually makes passwords weaker rather than stronger, forcing employees to choose weaker passwords they can remember, and are easily guessed. Another common policy, that of mandating the use of special characters, is criticized for the same reason.

The US National Institute of Standards and Technology has come to agree with these critics. In its latest public draft of SP 800-63-4, the Digital Identity Guidelines, a new set of technical requirements and recommended best practices for password management. Compliance with these requirements is mandatory for any organization interacting with the federal government online. These policies constitute both what organizations must do, what they must not do, what they should do, and what they should not do. For instance, under these new regulations, organizations must impose a minimum password length of eight characters but should impose a minimum password length of 15 characters.

These regulations mandate that verifiers and CSPs (credential service providers) must not impose composition rules requiring mixtures of different character types, and must not require mandatory periodic password resets (however, if the authenticator is compromised, they must impose a reset). Further, these entities must not utilize password hints accessible to unauthenticated claimants and must not use authentication based on knowledge-based security questions. These requirements have forced the creation of passwords that are harder for individual users to remember and easier for threat actors to guess, and their termination will likely lead to more secure passwords.

Although this policy is exclusive to the US government and organizations that do business with it, it should be recommended universally as a new set of password standards. As a general principle, users should make use of randomly generated long-length passwords stored in a password manager, or use long pass-phrases that are easy to remember, but difficult for threat actors to crack using computers.

More from Blackwired

December 16, 2024

CISOs need to consider the personal risks associated with their role

CISOs face personal liability for cybersecurity incidents, boosting accountability but increasing stress and deterring professionals.

Read more
December 9, 2024

The Shocking Speed of AWS Key Exploitation

AWS keys exposed online are exploited in minutes, highlighting the need for faster detection and response to prevent breaches.

Read more
December 2, 2024

Advanced Cyberthreats Targeting Holiday Shoppers

The holiday season sees increased e-commerce scams, with AI-driven phishing, fake sites, and data theft targeting consumers and businesses.

Read more