As reported in the Wall Street Journal, the National Institute of Standards and Technology (NIST) has released a new version of their document “Special Publication 800-63” for Digital Identity Guidelines. Normally, this type of publication goes unnoticed by the general public, but not this time!
Most of the guidelines that we in the IT industry follow regarding password security come from NIST’s 800-63 document. These guidelines are rules like changing your password often, using “special characters” and numbers, and making sure your password is at least 8 characters. Well… to put it bluntly, the new version throws it all out the window due to, as NIST puts it, “widespread frustration with the use of passwords from both a usability and security standpoint.”
The chief architect of both this version and the old version is a man by the name of William (Bill) Burr, a now-retired manager for NIST. Burr is quoted in the Wall Street Journal as saying, “It just drives people bananas and they don’t pick good passwords no matter what you do.”
The new guidelines recommend the following for user’s passwords:
- Using extremely long passphrases around 24 characters in length
- Using password rate limiting software to slow down potential attackers which are guessing passwords
- Limiting the number of erroneous attempts, again, to slow down potential attackers
- Not using commonly used passwords such as “password” or “monkey”
- NOT forcing users to use complex passwords such as those that require upper and lower case letters, numbers, and/or symbols
- NOT forcing users to change their passwords on a regular basis, only when there may have been a breach or it is forgotten
While many of these new guidelines are the same or increases from the previous version, some, like password complexity, may be hard habits to break for IT administrators looking to secure their networks against attacks from the deluge of attacks we face on the internet every day.