I have written about passwords a bunch of times before, mostly arguing in favour of password managers and against rules regarding password complexity and periodic password change. An increasingly growing group of information security professionals have moved on to this position and now an authoritative standards body has weighed in with a paper.
Everyone is familiar with password complexity rules and the requirement to change them periodically. They became a standard through one publication: NIST 800-63. National Institute of Standards and Technology (NIST), an American standards institution whose public standards US government (and quite a lot of the world) follows published the 800-63 standard on passwords in 2003. NIST documents are well-used by information security practitioners as they provide a very useful and publicly-available framework on cybersecurity as well as on related items.
The password guidelines in 800-63 were too complicated for a most people to understand very well. They led to bad practices, such as
- creating patterns: “JanJan2009!”, “AprApr2009!”, “JulJul2009!”, etc.
- writing them down insecurely and sticking them on computer screens
- using the same password for everything and changing them together.
Last year, NIST released its new set of password guidelines that advocate precisely the opposite:
“Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically).”
Instead it recommends the use of password managers that can be used to store long and random passwords and to allow users to copy-paste passwords from these. It also recommends rate-limiting, i.e. preventing too many password tries in a short period (this method would be used by attackers manually or programmatically trying to brute-force your credentials directly on websites/apps), in addition to a number of other guidelines.
The NIST guidelines now make passwords easier for users and firmly pushes a number of additional requirements on IT administrators to protect their technology infrastructure. That is good for security because now users actually have the ability to create and store strong and unique passwords for all their various accounts because they do not have to remember all of them.
We won’t be out of the dark ages of passwords until passwords are gone, but we can try to make things a bit less painful to our users in the meantime.