The US National Institute of Standards and Technology (NIST), an organization responsible for developing cybersecurity guidelines for the US government, wants organizations to refrain from imposing all sorts of password requirements, as these restrictions often do more harm than good.
Passwords are the most used form of authentication, but they come with one major downside: people find it hard to memorize complex, lengthy, and arbitrary passwords. Therefore, we tend to choose passwords that can be easily guessed, making securing online accounts riskier.
On top of that, adding requirements to choose passwords, like one or more digits, uppercases, and symbols, is less effective, while the impacts on usability and memorability are severe. Enforcing regular password changes can make this even worse.
According to the NIST, other mitigations, including blocklists, secure hashed storage, machine-generated random passwords, and rate limiting, are more effective at preventing modern brute-force attacks.
The new NIST password guidelines no longer require mandatory password changes. They should only be implemented when passwords are compromised, for example, when a data breach has occurred.
Breached passwords, patterns, and common variations should be blocklisted to improve security. Multi-factor authentication (MFA) and password managers can be added as additional precautions.
This doesn’t mean we should abandon all password policies we’re familiar with. Take password length, for example. Passwords with few characters are more easily cracked with brute-force attacks than lengthy passwords.
“Users should be encouraged to make their passwords as long as they want, within reason. Since the size of a hashed password is independent of its length, there is no reason to prohibit the use of lengthy passwords or passphrases if the user wishes. However, extremely long passwords (perhaps megabytes long) could require excessive processing time to hash, so it is reasonable to have some limit,” the NIST recommends.
To implement the new NIST password guidelines, businesses should first conduct an audit to identify outdated requirements. Next, they should reconfigure their authentication systems to the new guidelines, build blocklists, strengthen their security layers, and use password management tools.
Lastly, companies should explain the new password guidelines to their employees, and, when necessary, offer training courses to help workers get acquainted with the change.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked