The National Institute of Standards and Technology (NIST) has released updates to their Digital Identity Guidelines. Here are some key takeaways from the new guidelines:
- Minimum of 8 characters
- No requirement for special characters or numbers
- Block passwords from previous breaches
- Block common passwords (e.g., ‘password1’, ‘p@ssw0rd’, ‘welcome123’)
- Do not reuse passwords from other online services
- Avoid single dictionary words, even when they’re used alongside special characters or numbers (e.g., ‘trouble123’, ‘trouble!’)
- Avoid repetitive or sequential characters (e.g., ‘aaaaaa’, ‘1234abcd’)
- Exclude context-specific words, such as the name of the service, the username, and derivatives thereof (e.g., ‘gmail12345’, ‘hotmailpassword1’)
- Make passwords as long as possible, up to 64 characters, to improve strength. Short passwords are vulnerable to brute force and dictionary attacks.
- Generate random passwords whenever possible instead of creating your own
- Use a password manager to store passwords securely, reducing reliance on memory for longer, more secure passwords
- Implement multi-factor authentication (MFA) or two-factor authentication (2FA) in addition to using secure passwords (e.g., Authenticator apps like Microsoft Authenticator or two-factor via recovery email or SMS)
- Do not mandate periodic password resets for user accounts unless there is evidence of compromise, the user forgets their password, or the user leaves the organization
Although these guidelines are comprehensive, they may seem contradictory and confusing to some. For instance, while recommending a minimum of 8 characters for passwords, there is no enforcement of complexity through numbers or symbols.
According to howsecureismypassword.net, an 8-character password with lowercase letters can be hacked in 5 seconds. Adding a number, an uppercase letter, and a symbol extends this time to 8 hours, which remains an insecure password.
To NIST’s credit, they advise increasing the length of passwords to enhance strength. From a password policy perspective, it would be more prudent to enforce a longer minimum password length. For example, requiring 18 characters if only lowercase letters are used, or 15 characters if a mix of upper and lowercase letters is required. An 18-character lowercase password could take approximately 23 million years to crack, while a 15-character mixed-case password could take 43 million years. This is significantly better than 5 seconds.
You may be asking yourself, “How can you possibly enforce an 15 or 18 character password policy for end users? How will they ever remember a password that is so long?”
That’s where passphrases come in. These are random words paired with a space, symbol, or number to make up the password. Optionally, a user can capitalize one of the letters.
NIST’s guidelines advise against using single dictionary words to avoid falling victim to dictionary attacks. However, this does not apply to a string of 4 or 5 words forming a longer password.
NIST also recommends using passphrases to extend password length, although their initial guidance against dictionary words might cause confusion. According to ZDNet, the FBI also advocates for passphrases over random passwords. Using a passphrase is easier for individuals to remember and harder for computers to guess due to the increased length and the mathematical complexity of combinations.
Now that we have identified secure and memorable password types, should end users still periodically change their passwords?
According to NIST guidelines, periodic changes are unnecessary unless the password was breached. This is because the password protects systems such as Active Directory or Azure AD, or another online service using the same password. Nonetheless, an argument can be made for changing passwords every 6 months or a year, especially if there is no system monitoring for hacked passwords or if the monitoring system is imperfect.
Another recommendation is to implement multi-factor authentication using an authenticator app or, if unavailable, two-factor authentication via recovery email or SMS.
Adding a second factor for authentication provides an extra layer of security, which is crucial even if your password is compromised. While this option may not always be available, relying solely on a password for protection emphasizes the importance of having a strong one.
Do we still need a self-service password reset system if users aren’t required to change their passwords regularly? The answer is yes. While passwords may not change frequently, a password policy requiring resets every 60 or 90 days can still necessitate a reset. Users may forget their passwords, lock themselves out, or need to change their password due to a breach, incurring significant costs for IT departments. The cost of a password reset, as noted by Vijay Shankar from Freshworks referencing Forrester Research, can be up to $70 USD per reset ticket for an MSP or IT Department which can add up fairly fast depending on how many endpoints your help desk manages.
Consider a scenario where a CEO forgets their password right before a critical investor meeting, unable to reach the helpdesk for assistance. When evaluating the need for a self-service password reset system, it’s crucial to consider whether you want end-users or business owners to rely on the helpdesk in a panic or empower them to resolve such issues independently and be the hero.