Can regular password changes really harm security?
The U.S. National Institute of Standards and Technology (NIST), which sets technology standards for governments and private companies, has proposed a review of a number of outdated and ineffective rules regarding passwords. These include mandatory periodic password changes, requirements for its composition and the use of security questions.
Choosing and storing strong passwords is one of the most difficult tasks in cybersecurity. However, many rules that are supposed to increase the level of security in fact reduce it. NIST recently published an updated draft of the SP 800-63-4 standard, a huge document that provides guidelines for verifying digital identities.
The new version of the standard emphasizes common sense regarding passwords. One of the important proposals is to abandon the practice of regularly forcibly changing passwords. This practice dates back to a time when passwords were often simple and easy to guess. Now, with the use of long and randomly generated passwords, frequent changes reduce their effectiveness, forcing users to create simpler combinations to remember.
Another outdated measure is the requirement to include different types of characters in the password: numbers, special characters, lowercase and uppercase letters. NIST believes that if the password is long enough and random, such requirements are not helpful, and may even lead to password weakness.
The new NIST project states the following:
Other NIST recommendations include:
A number of experts have long noted the negative impact of many common password requirements on security. However, banks, online services and government agencies continue to use them. If the new NIST standards go into effect, they will not be mandatory for everyone, but they may change the way passwords are generated in the future.
In addition, NIST invites anyone interested to submit their comments, remarks, or suggestions to dig-comments@nist.gov by October 7 at 11:59 p.m. ET.
Source
The U.S. National Institute of Standards and Technology (NIST), which sets technology standards for governments and private companies, has proposed a review of a number of outdated and ineffective rules regarding passwords. These include mandatory periodic password changes, requirements for its composition and the use of security questions.
Choosing and storing strong passwords is one of the most difficult tasks in cybersecurity. However, many rules that are supposed to increase the level of security in fact reduce it. NIST recently published an updated draft of the SP 800-63-4 standard, a huge document that provides guidelines for verifying digital identities.
The new version of the standard emphasizes common sense regarding passwords. One of the important proposals is to abandon the practice of regularly forcibly changing passwords. This practice dates back to a time when passwords were often simple and easy to guess. Now, with the use of long and randomly generated passwords, frequent changes reduce their effectiveness, forcing users to create simpler combinations to remember.
Another outdated measure is the requirement to include different types of characters in the password: numbers, special characters, lowercase and uppercase letters. NIST believes that if the password is long enough and random, such requirements are not helpful, and may even lead to password weakness.
The new NIST project states the following:
- Verifiers and Certificate Service Providers (CSPs) should not introduce additional password rules (for example, a combination of different types of characters).
- Verifiers and CSPs should not require periodic password changes, except in cases of confirmed compromise.
Other NIST recommendations include:
- Passwords should be at least 8 characters long, but preferably at least 15.
- The maximum password length must be at least 64 characters.
- Passwords must accept any ASCII characters, spaces, and Unicode characters.
- It is not allowed to store password hints that are accessible to unauthorized users.
- Security questions (e.g., "First pet name?") should not be used for authentication.
A number of experts have long noted the negative impact of many common password requirements on security. However, banks, online services and government agencies continue to use them. If the new NIST standards go into effect, they will not be mandatory for everyone, but they may change the way passwords are generated in the future.
In addition, NIST invites anyone interested to submit their comments, remarks, or suggestions to dig-comments@nist.gov by October 7 at 11:59 p.m. ET.
Source
