18 Nov The NIST Proposes New Password Guidelines: Are They Worth It?

Password hygiene and methodology is an important part of basic security. But as times have changed with intensifying threats and greater volume of spaces where passwords are required, the need for improved logins is crucial.

Discussion about strong passwords is nothing new. In the IT and cybersecurity space, we’ve had this conversation for years. Some assert a singular, complex password is no longer sufficient. Others suggest utilizing password management software to wrangle the multiple complicated logins we should be using.

What makes a good password? Experts and general methodology recommend a healthy mix of special characters, numbers, and letters. Names and easily guessable phrases have always been a no-go. Repeating the same password along different websites, apps, and software is also never recommended. For instance, if a malicious actor finds one password, they can theoretically access everything else with that single login.

The set of new proposals

The National Institute of Standards and Technology has proposed a new batch of password-focused guidelines. In fact, it’s a big departure from the typical recommendations for password creation: the healthy mix of complex symbols, characters, and letters.

First, it’s important to remember these are guidelines, not rules that must be applied. However, said guidelines can signal a shift in how password rules are set for organizations, businesses, and vendors requiring logins to access important data material. Specifically, it tasks CSPs – credential service providers – to consider onboarding these new mandates.

In brief, there are several key areas the guidelines focus on in hopes to further improve password/credential security. As it stands, the guidelines are subject to change, though signals a shift in recommendations for proper password management.

The initial suggestions include removing requirements for passwords with included special characters. It also suggests the removal of password refreshing over a 30, 60, or 90-day period. Other recommendations follow suit with “traditional” methods for password creation. For example, NIST maintains a password that should remain between 8 to 16 characters in length. Additionally, passwords should have space for a maximum of 64 characters.

NIST finds problems caused by complexity

Some of these new proposed guidelines are a direct challenge to the concept of password complexity. On paper, the idea of complex logins appears sound. The introduction of dynamic letters, symbols, and characters should make them difficult to guess or brute force. However, complex passwords can create an inverse problem.

Because modern standards recommend having complicated logins for each website, app, or relevant software, users are encouraged to create memorable “complex” passwords. Furthermore, they’re likelier to store said logins in unsafe places, like on physical paper or notepad documents. So, instead of genuine complexity, users create guessable phrases – even though they do combine multiple symbols and characters. Complex passwords are harder to remember, increasing their reuse. As mentioned, reusability generates risk, and the security issue reinvents itself.

The other core problem NIST identifies is the routine changing/updating of passwords leads to weaker login complexity over time. Users are likelier to create weaker passwords that are easy to remember each reset phase. Thus, the NIST also proposes only resetting a login in the event credentials are known to be compromised.

Mandate or suggestion?

With transforming language, a key question arises: are these guidelines only or soon-to-be mandates for credential managers? If so, and in an environment where suggestion becomes regulatory, what does that mean for password management and generation?

It’s a broad question with no simple answer (as is everything in cybersecurity).

At a general glance, the new guidelines do highlight key problems regarding password creation, maintenance, and hygiene. For example, the reliance on “complex” passwords yields easily guessable variations. Longer, sure, with complex characters – certainly. But they only exacerbated the problem of simplicity. Complex passwords are harder to remember, so the median user developed guessable strategies to compensate.

Additionally, the requirement for advanced credentials created a new market reliance on password managers. Installed browser widgets could automatically create and store complicated logins for each website visited. On one hand, it’s convenient and addresses a tricky issue for average computer users. On the other, it doesn’t address the problem of good password hygiene and critical thinking regarding cybersecurity habits. Far too often, we automate bandages on security problems versus addressing the core issues creating those security pitfalls. And, in the event, that a password manager is compromised in any capacity, it creates an immense risk to its user base and any website/service in proximity.

It’s why that, in eventuality, the NIST’s new password guidelines may shift to mandated measures versus suggestive ones.

Cleaning up password hygiene

The broad takeaway is renewing focus on strengthening password hygiene and strategies. Reliance on complexity and automated security solutions, while handy, has slowly proven ineffective. As cybersecurity and IT environments always change, so too are the methods we use to address holes and pitfalls.

However, not all SMBs and organizations have the resources or knowledge to restructure their cybersecurity policies and/or password guidelines. For these problems, consider getting help. Additional information can be found by contacting Bytagig today.