Many aspects of computer usage require passwords, including applications, websites and the computer itself. However, advances in computing power and decryption algorithms are changing the best practices for creating passwords. The United States National Institute for Standards and Technology (NIST) publishes Special Publication (SP) 800-63-3, entitled Digital Authentication Guidelines, which includes the latest guidelines on passwords. This document was originally published in June 2017, with the most recent updates occurring in December 2017. The password guidelines in SP 800-63-3 include discontinued practices, greater emphasis on user friendliness and more variety.
Discontinued Practices
Businesses that must practice NIST compliance need to change their password composition rules so that users are no longer required to create complex passwords. The use of single passwords should also be replaced by longer phrases. NIST also recommends eliminating forms of knowledge-based authentication such as providing password hints, as this information lends itself to cracking passwords through social engineering techniques. Additional practices that should be discontinued include arbitrary expiration dates for passwords, since mandatory password changes increases the probability that a user will choose a new password that’s easy to guess.
User Friendliness
Some common practices for creating strong passwords may be more trouble than they’re worth because they aren’t very user friendly. Jim Fenton, NIST cyber security expert, has discussed the increased burden that SP 800-63-3 places on the verifier. Fenton says that non-user-friendly requirements in password creation encourage users to undermine the value of a strong password with poor practices. For example, a site that requires users to have overly complex passwords will increase the probability that users will record the password or use the same password for multiple sites. NIST recommends relying on two-factor authentication methods rather than requiring the user to remember multiple complex passwords.
Length and Variety
Passwords should generally be easy for a user to remember but difficult for someone else to guess. This requirement has historically limited passwords to a single word of six to eight characters. English only has a few thousand common words of that length, and basic social engineering can greatly reduce the set of likely password candidates even further. Modern techniques are highly effective in cracking this type of password, even when it has one or two digits at the end of it.
NIST now recommends relaxing some of these restrictions to allow the creation of stronger passwords, illustrating the shift in emphasis from rigid creation policies to simply ensuring the password is difficult to guess. For example, passwords should contain between 16 and 64 characters, depending on the account’s sensitivity. Users should also be able to create passwords with any printable ASCII character, including spaces. UNICODE characters such as emoji should also be acceptable components of a password.
Summary
CSCI has been providing IT services for businesses in San Diego for over 30 years. We offer both managed and on-site services, including regulatory compliance for NIST. Contact us today to more about what we can do for you.