Go to:

July 2018
< Jun Aug >
Leaguer Email Subscription

You are not currently subscribed. Click Subscribe below to receive the Leaguer email.

Is the Complex Password Dead?
Thursday, August 3, 2017 6:45 AM

Kevin Hood, Credit Union Resources, Inc.

Users may be rejoicing after the release of NIST’s new password guidelines! The National Institute of Standards and Technology (NIST), a division of the U.S. Department of Commerce, provides guidance that sets standards for recommended security controls for information systems at federal agencies. While required by federal agencies, many other industries adopt and use these guidelines as a strong cybersecurity framework. In their recent Special Publication 800-63B “Digital Identity Guidelines,” NIST is taking a more “human-element” approach and shifting the burden to the verifier.  Here are a few key elements of the new guidance:

  • No more complex passwords! For years, the recommended standard is to have very complex passwords - using a mixture of uppercase, lowercase, numbers, and special characters. Many times, these requirements can lead to weaker passwords, with users simply changing a number at the end of the password. With the new guidelines, NIST is recommending the longer passphrase approach. NIST is recommending the allowance of passwords as long as 64 characters (or more), including punctuation, spaces, and even emojis!
  • No more changing your passwords every 30 days!  Users will really love this one. Frequent password changes have been shown to actually cause users to choose weaker passwords, again only changing one character. The guidance states that you should only require users to change their password if they are forgotten or suspected of compromise.
  • Passwords should be checked against a list of commonly-used, expected or compromised passwords. If the chosen password is found in the list, the user should be notified and required to choose a different password. For example, the list may include, but is not limited to:
    • Passwords obtained from previous breaches.
    • Dictionary words.
    • Repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’).
    • Context-specific words, such as the name of the service, the username, and derivatives thereof.

There are many other guidelines released in the special publication, such as encryption recommendations for password storage and the phasing out of text messaging as a form of two-factor authentication. Convenience and security have long been said to be mutually exclusive; however, with this new guidance, it looks as though NIST is trying to bridge that gap.

Credit Union Resources has Technology Consulting & Compliance Services available for credit unions of all sizes. For additional information, please contact Deana Brown or Idrees Rafiq.