No more pointless password requirements

Peter Stancik discusses the new Digital Identity Guidelines drafted by NIST, which offers an update on password security.

Peter Stancik discusses the new Digital Identity Guidelines drafted by NIST, which offers an update on password security.

You know the struggle – you’re staring at yet another sign-up form, on yet another website, after being asked to create an account in order to proceed.

You give it your best to come up with a password you aren’t already using across your most crucial online accounts and hit submit. Not so fast! “Password must contain at least one uppercase letter.” Okay then, there you go, submit. “Password must contain at least one special character.” Now the password can’t contain the very character you’ve chosen. Sorry, now the “password is too long”.

Well, all this may be about to change.

As of May 1, the new Digital Identity Guidelines drafted by NIST (the US National Institute for Standards and Technology) are closed for public comment and ready to be finalized.

The guidelines will bring new and improved password requirements, changing most of what we’ve known as a “necessary evil” needed to secure our accounts.

As many of the previously utilized rules have proven ineffective or even counterproductive, NIST now recommends administrators leave out any measures that put a burden on users but don’t significantly improve their security.

Doing so is expected to lead to increasingly secure authentication, as users won’t be compelled to find easy (and insecure) ways around overly complicated requirements.

Although the guidelines are only binding for federal agencies, they tend to have great influence on organizations in general, which in turn affects internet users worldwide.

So what are some of the major changes ahead?

No more enforced composition rules

Any other complex composition rules (such as requiring users to include both uppercase and lowercase characters, at least one number and a special character) are to be eliminated. The reason behind this is that such rules rarely encourage users to set stronger passwords and rather result in passwords that are both weak and difficult to remember.

No more periodic password expiration

The new guidelines also advise against requiring routine password changes unless the subscriber requests a change or there is evidence of a compromise. The argument here is that users only have so much patience for having to constantly think of new reasonably strong passwords, thus forcing them to do it repeatedly can do more harm than good.

No more hints and knowledge-based authentication

Another thing to leave behind according to NIST are password hints and knowledge-based verifying questions. While these might in fact help users on their search for forgotten passwords, they can also be of great value for attackers – even greater so if reused on multiple sites.

Blacklist of unacceptable passwords

Instead of the previously used composition rules, NIST recommends checking new passwords against a “blacklist” of the most commonly used and/or previously compromised passwords and evaluating matching attempts as unacceptable.

Broader variety of characters

When setting a password, users should be able to choose freely from all printable ASCII characters, as well as UNICODE characters including emojis. Users should also have the option of using spaces, which are a natural part of passphrases – an often-recommended alternative to traditional passwords.

Minimum length of eight characters

The new guidelines acknowledge length as the key factor in password strength and introduce a minimum required length of eight characters reaching up to a maximum of 64 characters.

One factor is not enough (but leave SMS out of it)

No matter how much effort you put into improving your passwords, they remain just a single barrier standing between potential attackers and your valuable data. When aiming for secure accounts, an additional layer of authentication should be considered as an absolute must. NIST knows this and recommends utilizing two-factor or multi-factor authentication whenever possible.

The point of 2FA/MFA is to verify that the person trying to gain access to an account is really the person authorized to do so. In practice, this can be done using something you know (like a memorized password or a PIN), something you have (such as a security token or a mobile phone) or something you are (biometric methods like fingerprint readers, face or retina scanners).

What’s new in the latest recommendations in terms of 2FA? SMS is no longer advised as a second factor due to it being susceptible to numerous threats. A more secure alternative to SMS includes hardware devices, as well as software-based one-time password (OTP) generators – such as secure apps installed on mobile devices.

The new guidelines introduce a more straightforward approach to digital authentication, which has the potential to improve the current situation not only in terms of user-friendliness, but also in terms of security. And because passwords don’t seem to be going anywhere just yet, we might as well try and make the best out of them.

NIST is not alone in their recommendation either. The people behind World Password Day, an initiative focused on improving password strength, suggest that each account should have its own unique password and that users can also adopt either a “passcode” strategy for increased security or adopt two-factor authentication, whereas a password only provides a single (security) step to gain access to sensitive data. Thus, the takeaway here echoes one of our most central pieces of advice, the use of a reliable multi-layered security solution.

Sign up to receive an email update whenever a new article is published in our Ukraine Crisis – Digital Security Resource Center