What’s the password?


“Treat your password like your toothbrush. Don’t let anyone else use it, and get a new one every six months.” (Clifford Stoll)

Well, we hate to tell you Cliff, but you are going to have to come up with something new when it comes to passwords. That’s because The National Institute of Standards and Technology (NIST) recently published updated guidelines and best practices related to passwords and authentication methods. And the first best practice to be changed is no more periodic password changes.

No doubt, this is welcome news to employees, IT departments and organizations everywhere. But chances are good, unless you pay attention to the rest of what the NIST has to say about passwords, you could still find yourself on the wrong side of a hacker.

So what exactly did the NIST have to say about the new normal in passwords?

NIST advises organizations should not require periodic changes for passwords. This catches you up to other industry studies showing frequent password changes are actually hurting overall password security. This is a huge change of policy as it removes a significant burden from both users and IT departments.

The only time a password should be reset according to NIST is if a user requests a change, or there is evidence of password compromise (i.e. if the user has been phished, or if a password database has been stolen and becomes a security concern).

And some of you may like this one even better. The NIST recommends removing password complexity requirements. At Carolinas NetCare still recommends using all of the character types (uppercase, lowercase, number and symbol). But one of each, and not a crazy password. The NIST continues to recommend a minimum length requirement. So don’t feel you have to get creative. Just make it hard. Because …

The NIST suggests a validation of newly created passwords against a list of commonly used, expected, or compromised passwords. Carolinas NetCare is evaluating how to incorporate preventing users from setting passwords like “password”, “12345678”, old passwords, dictionary words, usernames and other contextual terms.

No hints, please.

Password hints are no longer recommended either. Because, surprise, surprise, something that was originally meant to help the user recall a password actually can help a hacker guess the correct password.

Verizon’s recent Data Breach Report revealed that 81% of hacking-related security breaches were the result of either stolen and/or weak passwords. The new NIST guidelines will hopefully help you keep your employees from being the weakest link in your network security by encouraging the use of strong passwords, along with not falling for phishing and social engineering attacks.

So are these changes NIST is proposing relevant and important? They sure are. Despite the need to introduce new authentication methods, passwords are here to stay for a while, if not forever. We can all appreciate even small improvements in user experience and security.

For more information on the NIST password guidelines and best practices, be sure to make plans now to attend our free Fall Technology Briefing. Click here to register.