You know the struggle – you’re staring at yet
another sign-up form, on yet another website, after being asked to create an
account in order to proceed.
You give it your best to come up with a password
you aren’t already using across your most crucial online accounts and hit
submit. Not so fast! “Password must contain at least one uppercase letter.”
Okay then, there you go, submit. “Password must contain at least one special
character.” Now the password can’t contain the very character you’ve chosen.
Sorry, now the “password is too long”.
Well, all this may be about to change.
As of May 1, the new Digital Identity
Guidelines drafted by NIST (the US National Institute for Standards
and Technology) are closed for public comment and ready to be finalized.
The guidelines will bring new and improved password
requirements, changing most of what we’ve known as a “necessary evil” needed to
secure our accounts.
As many of the previously utilized rules have
proven ineffective or even counterproductive, NIST now recommends
administrators leave out any measures that put a burden on users but don’t
significantly improve their security.
Doing so is expected to lead to increasingly secure
authentication, as users won’t be compelled to find easy (and insecure) ways
around overly complicated requirements.
Although the guidelines are only binding for
federal agencies, they tend to have great influence on organizations in
general, which in turn affects internet users worldwide.
So what are some of the major changes ahead?
No more enforced composition rules
Any other complex composition rules (such as
requiring users to include both uppercase and lowercase characters, at least
one number and a special character) are to be eliminated. The reason behind
this is that such rules rarely encourage users to set stronger passwords and
rather result in passwords that are both weak and difficult to remember.
No more periodic password expiration
The new guidelines also advise against requiring
routine password changes unless the subscriber requests a change or there is evidence
of a compromise. The argument here is that users only have so much patience for
having to constantly think of new reasonably strong passwords, thus forcing
them to do it repeatedly can do more harm than good.
No more hints and knowledge-based authentication
Another thing to leave behind according to NIST are
password hints and knowledge-based verifying questions. While these might in
fact help users on their search for forgotten passwords, they can also be of
great value for attackers – even greater so if reused on multiple sites.
Blacklist of unacceptable passwords
Instead of the previously used composition rules,
NIST recommends checking new passwords against a “blacklist” of the most
commonly used and/or previously compromised passwords and evaluating matching
attempts as unacceptable.
Broader variety of characters
When setting a password, users should be able to
choose freely from all printable ASCII characters, as well as UNICODE
characters including emojis. Users should also have the option of using spaces,
which are a natural part of passphrases – an often-recommended alternative to traditional
passwords.
Minimum length of eight characters
The new guidelines acknowledge length as the key
factor in password strength and introduce a minimum required length of eight
characters reaching up to a maximum of 64 characters.
One factor is not enough (but leave SMS out
of it)
No matter how much effort you put into improving
your passwords, they remain just a single barrier standing between potential
attackers and your valuable data. When aiming for secure accounts, an
additional layer of authentication should be considered as an absolute must.
NIST knows this and recommends utilizing two-factor or multi-factor
authentication whenever possible.
The point of 2FA/MFA is to verify that the person
trying to gain access to an account is really the person authorized to do so.
In practice, this can be done using something you know (like a memorized
password or a PIN), something you have (such as a security token or a mobile
phone) or something you are (biometric methods like fingerprint readers, face
or retina scanners).
What’s new in the latest recommendations in terms
of 2FA? SMS is no longer advised as a second factor due to it being susceptible
to numerous threats. A more secure alternative to SMS includes hardware
devices, as well as software-based one-time password (OTP) generators – such as
secure apps installed on mobile devices.
The new guidelines introduce a more straightforward
approach to digital authentication, which has the potential to improve the
current situation not only in terms of user-friendliness, but also in terms of
security. And because passwords don’t seem to be going anywhere just yet, we
might as well try and make the best out of them.
NIST is not alone in their recommendation either.
The people behind World Password Day, an initiative focused on improving
password strength, suggest that each account should have its own unique
password and that users can also adopt either a “passcode”
strategy for increased security or adopt two-factor authentication,
whereas a password only provides a single (security) step to gain access to sensitive
data. Thus, the takeaway here echoes one of our most central pieces of advice,
the use of a reliable multi-layered security solution.