New Standards Released for Password-Management Policy
New Standards Released for Password-Management Policy
Think you know how to create a solid, safe email password? Chances are, you're not following current best practices for email security. New standards were recently released by the National Institute of Science and Technology (NIST), and it calls for organizations to update their password-management policy to reflect the new recommendations.
Q: What is the NIST?
Founded in 1901, the NIST, part of the federal Department of Commerce, is one of the oldest physical science laboratories in the U.S. The measurements and standards developed by the NIST are used by a huge variety of technologies. Among its myriad contributions, the NIST offers guidance to computer and Internet users on password security. Since the original development of these best practices in 2003, the guidelines have long been relied upon as the gold standard, used to create the password-management policy of federal agencies, large corporations, and universities.
Q: Why have the password-management policy standards changed?
A: As you've no doubt noticed, password management has become considerably more difficult for the average user (among other things, as you can see in our cyber awareness training blog). You're prompted to log in to work and personal email accounts, social media profiles, online shopping sites, forums, healthcare management sites, financial institution portals, and so on. To make matters worse, many of these websites require different levels of password security, so while some passwords can be any combination of letters and numbers, others may need to be a mix of uppercase and lowercase letters, numerals, and special characters. This makes remembering passwords and their requirements extremely cumbersome.
Q: What were the NIST's old recommendations?
A: The NIST's previous password-management policy guidelines called for the use of a mix of various types of characters and also noted that passwords should be changed every 90 days. However, because users have so many passwords to remember, the NIST has found that, rather than create entirely unique passwords every 90 days, people were only slightly modifying the passwords. This has meant that the passwords became more vulnerable to hackers. These stringent requirements have also impacted the usability of the plethora of applications that call for user authentication.
Q: What are the NIST's new recommendations?
A: With an eye toward improving security while making password requirements more user-friendly, the NIST now says that users should abandon the so-called complex passwords that contain an arbitrary string of alphanumeric characters. In its recently released Special Publication 600-83: Authentication and Lifecycle Management, the laboratory now recommends:
1. The use of passphrases instead of passwords: In an effort to improve password entropy (a measure of how unpredictable a password is), the NIST now recommends the use of passphrases. It reasons that longer passphrases that are easier for the user to remember are also more difficult to crack, whereas shorter passwords have reduced entropy and are harder to remember.
Consider how you keep track of all those passwords: whether you use a password storage system, a notebook, or a document, you're reducing the inherent security of the password by storing it in a potentially unsafe manner. The NIST reasons that if your password is easier to remember and type into the password field, your accounts will be more secure.
How long can a passphrase be? The NIST recommends that users be allowed up to 64 characters for their passphrases. What's a good passphrase? Perhaps the name of or a quote from your favorite book or song or a declaration of your favorite activities or passions (i.e., Oh, The Places You'll Go! or I love to play soccer on fall weekends.). Much easier to remember than S$D%Zs178dj, right?
2. No requirement to change passwords based on arbitrary timelines: Rather than prompting users to change their passwords every 90 days, the NIST recommends that users only be required to change their passwords if their accounts have been compromised (or unless the user requests the opportunity to change the password).
3. Easy-to-understand instruction: To improve usability and reduce frustration, the NIST also stipulates that users be provided with clear guidance on how to construct safe, appropriate passphrases. In addition, it calls for users to be given explicit feedback on rejected passphrase choices so that they don't become aggravated in trying to guess at why their passphrases have been deemed unacceptable.
What else do users need to know?
The Authentication and Lifecycle Management publication is quite long and includes many recommendations for the 'back end' security that don't directly affect users, so we won't go into them here. A few other relevant points on password-management policy though: The NIST recommends against the storing of password hints, which could be compromised. Instead, it says that two-factor authentic methods be employed, such as sending notifications with passcodes or links to a second, authenticated account or smartphone for users to approve.
Is ICS changing its password-management policy in response to the new guidelines?
These seemingly less stringent guidelines may be surprising for users accustomed to dealing with increasingly burdensome password constraints in recent years. However, they are strategically aimed at improving password security and we both trust and agree with the recommendations. Therefore, going forward, ICS clients will be asked to change their current passwords to reflect these new standards. The primary focuses of the NIST's changes are on boosting usability and security, and we want our own password-management policy changes support these objectives. We welcome your feedback and encourage you to contact us with any questions or concerns!
Our Credentials and IT Services:
- Award Winning (MSP Mentor) Managed Services Provider
- Microsoft Silver Certified Partner & Small Business Specialist
- Managed IT Security Services Bundled into Support Plans
- Your Local and Reliable New Jersey IT Consultants