Despite advancements in biometric technologies and the use of multi-factor authentication (MFA), passwords are still today’s front-line defense when it comes to cybersecurity and access control. Every day, users are required to login multiple times to access a myriad of resources, some that contain sensitive information others that do not – all while the bad guys attempt to steal, reuse, and guess passwords to gain access to anything from Netflix to online banking.
In order to address security concerns, the National Institute of Standards and Technology (NIST) performed a multi-year study and recently released new password standards (NIST SP 800-63). In a major shift away from common practices, these NIST standards recommend that organizations actually reduce requirements on complexity, size, and character types, as well as frequent password changes.
Instead of increasing security, the study found that burdensome password requirements actually increase risk through poor passwords and password reuse. When employees are mandated to have complex and long passwords that must change every three months, the study showed that they often create patterns or easy to remember passwords and reuse them on multiple accounts. This reuse increases the risk of compromise and opens the entity up to Account Take Over (ATO) attacks through the use of compromised password lists obtained from breeches like the Ashley Madison or Yahoo! leaks.
NIST did not just recommend reduced password complexity and expiration removal, but also recommended that entities should ban commonly used passwords, provide users with breeched passwords lists to reference and implement password testing.
Here is a summary of the new NIST password design requirements:
- Minimum password size of 8 characters
- Maximum password length 64 characters
- Allow all printable ASCII characters (including spaces)
- Allow all UNICODE characters (Including Emojis)
- Screen for use of banned passwords
- Eliminate requirements for password expiration
While these password recommendations increase security, NIST still recommends that organizations implement MFA to reduce overall risk. With bad guys out there looking to steal your data, authentication is the key in determining who you are in the cyberworld.