There have been a lot of interesting developments in Password Management since NIST, National Institute of Standards and Technology (a division of US Dept. of Commerce), revised the 14-year-old guidelines last November with final updates issued in June 2017. The now-retired 72-year-old author of the original 2003 NIST, Bill Burr, was quoted in The Wall Street Journal as saying “Much of what I did I now regret.” Great Britain’s National Cyber Security Centre has also chimed in with similar updated recommendations on Password Security.
Many of the recommendations are targeted to IT system administrators regarding steps they should be taking. However, all of us are “end-users” of password-protected systems and for us there is relief! What the latest recommendations bear out is something many users have been saying all along – there are too many passwords with complicated rules and they change too often. This is exactly what NIST discovered in their research.
Password expiration was leading to weaker passwords and to people recording them in an unsecured manner to help them remember. The research discovered that when a password is compromised, it is used within a week and frequent password expiration changes really offer no protection. The new recommendations are that system administrators monitor failed password attempts as an indication of possible compromise and also that systems notify the end-user when their password is used in an unexpected manner. Google does this, for example, when your login is detected from a new device. These alerts may be indications that a user needs to change their password. Some experts are suggesting an annual password change should still be part of good “password hygiene”.
UPDATE: In 2019, after decades of recommending passwords be changed regularly, Microsoft removed this from the security baseline settings. A Microsoft employee said this was “ancient and obsolete mitigation of very low value”.
Also, many users thought they were being clever by using numbers and special character substitutions to increase password complexity. What has been uncovered is that they were being lulled into a false sense of security as we now know that hackers are using sophisticated password cracking software that allows them to account for common letter substitutions. An example is my password might be H1gh3r$3cur1ty but password cracking tools account for common substitutions so they look for common substitutions like 1 for i and 3 for e, for example.
Password length is also a key to password security, however, with a required complexity, users had less chance of having a memorable password. The new recommendations relax the complexity but promote password length in the form of more memorable “passphrases”. The goal is for users to remember passphrases without recording them in an insecure manner (writing them down; adding them to an electronic note). The longer the password, the more difficult and longer it takes for automated password cracking tools to guess them. The recommended minimum length of passwords is growing due to this correlation between length and compromise. The 8-character limit is being expanded and recently 12 characters and even 16 characters have been suggested as new standards for minimum length.
What is a good “passphrase”? Creating a passphrase of a few disconnected words that you can remember is the best practice, so an example might be “eagleflagstormjupiter”. Notice that the character complexity has been relaxed. Some common sense must still apply in avoiding the use of your name, address, or other easily discovered personal details in your passphrase. Also, the use of “common” passwords in your passphrase is to be discouraged and there are recommendations that system administrators blacklist these. An example would be to never word “password” or “12345”.
Another tip for end-users is to not re-use passwords between systems or websites and especially between your work and personal life. This way if one of the sites that you use has a compromise then all of your sites are not at risk. To that end, since all of us still have a lot of things that require a password at work and in our personal lives, users should be encouraged to utilize secure password managers like LastPass, 1Password, MiniKeePass. Some organizations, like The AME Group, also have moved work passwords into an enterprise password management system which also offers a secure employee vault for both work and personal password storage. Also, it is common sense that sharing passwords should not be done.
As the NIST guidelines move into adoption by vendors and other government agencies, these new guidelines will filter down into more end-user applications and web sites. The recognition that users were drowning in a sea of passwords and that password compromise is still a key component for hacking has led to these revised password management best practices. It is refreshing to see other tools like Two-Factor Authentication (2FA) and self-service password change capabilities increase in use and provide some relief for end-users. Username and Password is still a concept that most software and critical systems rely on for basic access and this will likely continue to be the case for several years to come. It is important that System Administrators educate themselves on the new NIST Guidelines and begin to implement a password management plan of their own. The AME Group has several tools that can make this implementation easier and also can provide guidance to help manage the other recommendations from NIST. Contact us today and we will be glad to discuss those with you.
619 Main St
Vincennes, IN 47591
812.726.4500