Passwords remain a major risk to enterprises. This is true even though safe password practices have been widely promoted for a decade. Nearly half (49%) of incidents cited in Verizon’s 2023 Data Breach Investigations Report involved compromised passwords.
Enter NIST’s new Digital Identity Guidelines, SP 800-63-4. In the new report, NIST advocates for dropping onerous password requirements and focusing on the practices which are most effective. Let’s look at a few of the updated guidelines.
- Do not require users to change passwords periodically, only mandate change when there is evidence of compromise.
- Require passwords with a minimum of eight characters. The recommended length is minimum 15 characters.
- Do not impose other composition rules, e.g., requiring mixtures of different character types.
- Do not prompt users to use knowledge-based authentication, e.g., “What was the name of your first pet?”
Mandatory password changes are ingrained in enterprises. But NIST considers mandated changes to be outdated. Research has found that frequent password changes lead people to make minor changes which fit into a pattern, e.g., MinnVikings56 is followed by MinnVikings57. These patterns are often quickly cracked by algorithms. NIST recommends changing passwords only when there is evidence of compromise.
To make passwords safer, NIST recommends long passwords, at least 15 characters. A 12-character password takes 62 trillion times longer to crack than a six-character password.
Per NIST, passwords should consist of random characters or phrases.
There is an inherent challenge with requiring passwords to be long and strong. Long and strong passwords are difficult for humans to remember. To accommodate our limited memories, people devise hack-able workarounds. LastPass reported in 2022 that 65% of those surveyed use mostly the same password or a variation.
NIST has a recommendation for humans and our fallible memories.
Verifiers SHALL allow the use of password managers. Password managers have been shown to increase the likelihood that users will choose stronger passwords, particularly if the password managers include password generators.
Leading password managers include LastPass, 1Password, and Dashlane. In volume, the highest-rated password managers cost four or five dollars per user, per month.
You can improve your company’s security posture by starting with these two NIST recommendations:
- Adopt the counter-intuitive practice of not mandating password changes.
- Provide password managers to help employees use long and strong passwords.
And please, don’t ask me for the name of my first pet.
-Maureen
Maureen Blando is the President and COO of Mobile Helix, makers of the LINK App for lawyers.
NIST Definitions
Authenticator: Something that the subscriber possesses and controls (e.g., a cryptographic module or password) and that is used to authenticate a claimant’s identity. See authenticator type and multi-factor authenticator.
Shall: The terms “shall” and “shall not” indicate requirements to be strictly followed in order to conform to the publication and from which no deviation is permitted.
Should: The terms “should” and “should not” indicate that among several possibilities, one is recommended as particularly suitable without mentioning or excluding others, that a certain course of action is preferred but not necessarily required, or that (in the negative form) a certain possibility or course of action is discouraged but not prohibited.
Subscriber: An individual enrolled in the CSP identity service.
Verifier: An entity that verifies the claimant’s identity by verifying the claimant’s possession and control of one or more authenticators using an authentication protocol. To do this, the verifier needs to confirm the binding of the authenticators with the subscriber account and check that the subscriber account is active.