NIST Calls for New Password Rules
Passwords. Everyone loves passwords, right? Lets have a big round of applause for complex passwords.
No? You are not a fan of those crazy passwords like &*(Y45(*]}mMh@+. Me either.
NIST sets the rules for the federal government and has a big influence on private industry. They have what they call a special publication or SP specifically around “digital identity”. NIST SP 800-63 is currently being revised and here is what they are proposing. I think most of this will be welcomed and private companies can implement these changes (unless they are in a regulated industry that mandates something different) NOW!
- NO MORE PASSWORD “COMPLEXITY”. The password above is just dumb. Make passwords longer. We recommend using at least a dozen characters, preferably longer. And use pass phrases because they are easier to remember. My Favorite Wedding Gift Was A New Car. Easy to remember; hard to guess and a brute force attack against a 36 character password is just not practical today.
- ONLY CHANGE PASSWORDS IF YOU BELIEVE THEY MAY HAVE BEEN COMPROMISED. If you use long passwords along with robust multifactor authentication you don’t need to change passwords unless they have been compromised.
- DISCONTINUE USING KNOWLEDGE BASED AUTHENTICATION (KBA) AND SECURITY QUESTIONS. Those KBA questions are ones often used by banks and others to “validate” you. Questions like “you bought a car around June 2023; was it (a), (b), etc.” Same goes for those password reset questions. At least with the password reset questions you can lie. If I was born in Chicago, I can say I was born in Dallas, but you have to keep track of each lie and if you use Dallas everywhere, you really have not gained anything. In the case of KBA, if you give the wrong answers they will deny access. Worse yet, many times the data sources for KBA questions are flat wrong, so even if you do provide the right answers, they might say they are wrong.
- FINALLY, ALLOW PASSWORDS UP TO 64 CHARACTERS AND INCLUDE “UNICODE” CHARACTERS. That means allow for non-English characters. I still run into web sites that don’t allow more than an 8 or 12 character password. Crazy.
While this won’t fix all of the password problems it is a start.
For more details, check this article.