When it comes to password policies, most organizations have similar rules about what qualifies as a good password. Normally, they require a minimum of 8 characters, including upper case, lower case, numeric and special characters, cannot be one of the five most recent passwords used, and have a maximum age ranging from 30-120 days depending on the organization. The reason that this standard password format has appeared in such a wide variety of organizations and websites’ policies is because it has been the research-based recommendation of the National Institute of Standards and Technology, more commonly known by it’s acronym NIST.
NIST is an American federal agency within the Department of Commerce in charge of maintaining and testing standards of measurement. It’s authorization actually predates the US Constitution as it’s antecedent organization was set up by a clause in the Articles of Confederation, which governed the United States until 1789. The Articles of Confederation reserved the right of affixing standard weights and measurements to the federal government, a reservation that was grandfathered into the US Constitution. As time, science, and technology advanced, so too did the quantities of measurements that the NIST began to regulate, including standards and measurements in the computer science field. Consequently, NIST conducts a lot of research on cyber security related issues in order to standardize various techniques, including recommendations on how passwords should be limited and regulated.
Last June, NIST issued a document called NIST Special Publication 800-63 which revised their password policy recommendations. The new recommendations include dropping the maximum age and renewal requirements, dropping the mixture of upper case, lower case, numeric, and special characters, increasing the length of passwords to a minimum of 16 characters, and screening passwords against a list of the most commonly used words and preventing those words from being included. Since NIST’s recommendations set the trend in the industry, many users will start to see this new set of rules become more common in password policies over the next couple of years.
The arguments upon which NIST relies their new guidelines do not come from algorithms, computer science or cyber security trends, but from the human element of information technology. Not only is NIST trying to promote a more user-friendly approach, but they realize that despite the complexity and security considerations that went into their previous and now defunct guidelines, password security was undermined by human users who felt the guidelines were an inconvenience. Humans have proven an innate inability to reliably remember difficult passwords, which has lead the average user to make easy to guess passwords, as well as giving rise to a multitude of password recovery systems and options. These factors have enabled an environment that can be exploited by malicious actors to gain access despite password encryption. Studies have found that the vast majority of users will use a relatively common word or name, with the first letter capitalized, and trailed by a number and/or a character. Far too frequently are those trailing characters either 1 or !. When required to reset their passwords, many users often just increase their numerical character in sequential order. Consequently, the steps taken by cyber security experts and system administrators are undermined by users not taking care, caution, or sincerity of their own system security.
It’s not just system users that were undermining the previous security regimen. If malicious actors cannot guess your password with several common themes that many users utilize in password creation, more often than not they resort to algorithms and programs to guess passwords instead of trying to guess the passwords themselves. Consequently, the variety of character types used are providing a false sense of security since the short character lengths are easily overcome by algorithms.
As a result, NIST’s new guidelines take into account the human element of password security. While their previous guidelines in theory were secure, the human element of cyber security had undermined their efficacy. Using those lessons, the new guidelines incorporate complexity while avoiding the pitfalls that the average user would complain about. By removing password age limits, users will no longer be required to change their passwords on a frequent scale, significantly reducing incidents of forgotten or lost passwords, and removing the ecosystems that surrounded and mitigated forgotten passwords that were easily exploitable. By increasing the minimum length of passwords to 16 characters, the amount of time it would take hackers and their algorithms to crack the longer passwords would be exponentially greater; requiring millennia in many cases. This is further assisted by creating a ban list of the most common words, names and phrases in order to prevent a quick shortcut for malicious actors.
While the reasons for NIST’s new guidelines can be attributed to the collective of humanity’s stupidity and poor training on the part of system administrators, the resulting recommendations are both more user friendly and secure. Be on the lookout for these new guidelines to be implemented in your workplace and by your favorite websites. Since NIST regulates measurements and standards for the American economy, these guidelines will no doubt filter down to the private sector soon enough.