By Steven Freidkin on Aug 18, 2017

Suffering from Password Fatigue? New Guidelines!

Are you tired of trying to remember complex passwords? Fed up with having to change those same esoteric passwords on a frequent basis? Have you “cheated” by using the same easy password (like, your dog’s name or “password”) across, well, everything?

And even when you do follow the rules, you still hear about an enormous number of security breaches caused by compromised passwords.

I have some good news! There are some surprising new password guidelines from *NIST that may alleviate some of your pain.

NIST has determined that most existing password rules are either ineffective or even counterproductive. By simplifying the requirements, it’s expected that users won’t be as compelled to find easy (and insecure) ways around complicated requirements.

Here are some of the major recommendations coming from the NIST guidelines:

  1. No more enforced composition rules. No need to include both uppercase and lowercase characters, at least one number and a special character.
  1. No more periodic password expiration. They are actually advising against requiring routine password changes, unless the user requests it or there is evidence of compromise.
  1. No more hints and knowledge-based authentication. While these might in fact help users to remember passwords, they are also of great value to attackers.
  1. A broader variety of characters. Users should be able to choose from all printable ASCII characters as well as UNICODE characters including emojis, as well as the option to use spaces. See #5 below to see how this will help!
  1. Allow at least 64 characters in length. This is to encourage the use of “memorized secrets” or passphrases that are much easier to remember and harder to crack. An example might be “My name is Martha and I like hotdogs, bike riding and reading books.” (You get the idea.)
  1. Mandatory validation of newly created passwords. New passwords will be compared against a “black list” of commonly used, expected or compromised passwords such as 12345678 or, god forbid, password. 

Warning! Okay, now we have to play the heavy.

Even when your company policies are changed to enable some or all of the above, it will still be prudent to use password management software such as LastPass or others. You shouldn’t use your new, easy to remember “memorized secret” across every single app or device – it will still be best practice to use different passphrases.

There will also be cases where you will want to use multifactor authentication such as DUO (you know, like when a number is texted to your mobile phone that you need to enter as a second step to access an online program or app) to help increase your security levels.

As always, be sure and reach out to your favorite IT consultant if you want more info on this or other security challenges and we’ll be happy to help.

Steven Freidkin

*NIST is a relatively small but powerful agency in the Department of Commerce, a crucial player in the White House’s cybersecurity strategy.  Although NIST rules are not mandatory for nongovernmental organizations, they are highly influential and most security professionals follow them as best practices.