At the end of 2017, the US Department of Commerce’s National Institute of Standards and Technology (NIST) released new Digital Identity Guidelines concerning passwords. What was surprising about the announcement was the NIST’s shift away from password complexity and toward user friendliness. That emphasizes the fact that passwords represent just the first layer of authentication security.
The NIST guidelines now call passwords “Memorized Secrets” and recommend that users create long passphrases that are easy for them to remember instead of convoluted strings of nonsensical numbers and letters. The use of special characters — !, @, #, $, %, and the like — is still recommended by the guidelines, and they encourage online platforms and accounts to allow log-in credentials to stretch up to 64 characters to support the use of such long passphrases.
Other big changes in the NIST Digital Identity Guidelines include the elimination of password expiration time periods. Instead, the guidelines state that the creation of new passwords should be mandated only after password breaches or data hacks. A recent security report found that hackers were using stolen passwords for two purposes: 1), to try and compromise high-profile cloud-based accounts that can’t easily use two-factor authentication, and 2) to break into email accounts and instigate internal phishing attempts.
The NIST also recommends that users be allowed to “paste” their saved passwords into log-in fields in hopes this will promote the use of business-grade password managers, which automatically generate strong passwords for specific accounts while asking users to remember just one master password. Such password management tools can be critical for business success, especially as different log-in credentials balloon and the number of employees increases.
Don’t worry — the NIST guidelines still outline specific security practices related to passwords. First, they forbid commonly used passwords. The standards require every new credential to be checked against a master list of forbidden phrases: repetitive words (“passwordpassword”), sequential strings (“password12345”), variations on the website name (“FacebookPassword), and passwords stolen in previously revealed security breaches.
In addition, the new guidelines frown on the use of information-based authentication or password hints like “What high school did you attend?” to reset passwords. Answers to questions like these are easily discovered on social media and can be used in social engineering attempts that use publicly available information against a user. Limiting the number of log-in attempts is also a tool that can discern between the most typo-prone computer user and the kind of brute force attack cyber thieves use to electronically try and discover a password.
Why all the changes? Interestingly, many of these new NIST guidelines run contrary to common password wisdom. It’s worth pointing out that these regulations are written specifically for federal government systems and employees. However, such guidelines traditionally become adopted across industries as nongovernmental contractors adopt them for use in their interactions with government systems and the best practices spread organically.
The bottom line, however, is that the NIST Digital Identity Guidelines point toward a promising trend: one where passwords represent just one part of a larger security footprint. Two-factor authentication, which requires logging in with something you know (your password) AND something you have (a unique code sent to you via text message or email), is the next step toward more comprehensive identity security.
Other components of security include SIEM monitoring, multi-tiered network protection, robust firewall defenses, Internet traffic analysis, anti-spam and anti-malware software, and more. The goal is to deploy enough layers around your systems, your data, and the people working for your company to keep up with the changing tactics cyber-criminals use to try and steal critical information.
Want to know more about how passwords can fit into your overall identity protection strategy? Have cyber-security concerns but can’t find a trusted IT provider to turn to? CMIT Solutions is here for you. We worry about IT so you don’t have to, enabling your business to survive and thrive in today’s complicated digital world. Contact us today for more information.