Revised Guidelines Open the Door to Better Password Management

“Open Sesame!”

With this phrase, the title character of the 18th-century folk tale “Ali Baba and the Forty Thieves” was able to gain entry to a secret cavern filled with gold, silver and other riches. The part of the story most people forget is that Ali Baba’s brother was later killed after he forgot the magic words and became trapped in the cave.

Three hundred years later, the tale perfectly captures the pros and cons of passwords. They offer a simple and effective way to establish your identity, but you can get yourself in a serious jam if you forget them.

Password Overload

Although passwords are increasingly being augmented with additional secure access technologies such as multifactor authentication and encryption, they remain a primary authentication mechanism. As such, organizations must adopt and enforce good password management guidelines. However, industry leaders and standards bodies have begun to rethink some of the practices that have been widely accepted for years.

One of the biggest problems with passwords today is that we all have too many of them. The need to create unique passwords for multiple personal and professional accounts, web sites, cloud applications and more has become overwhelming. A 2019 study from LastPass found that the average small business employee has 85 unique passwords.

Poor password practices can trigger a range of cybersecurity incidents. More than 80 percent of all confirmed data breaches can be traced to compromised passwords, according to Verizon’s 2019 Data Breach Investigations Report. It’s only gotten worse since the COVID-19 outbreak. Research indicates phishing attempts and password hacks have increased by upwards of 300 percent since millions of Americans began working from home, where they need even more passwords than usual to access an array of company resources, applications, websites and cloud services.

Revised Guidelines

For years, frequent mandatory resets were considered a best practice for password security. There was almost unanimous agreement within the industry that users should create new and unique passwords for every account every 60 or 90 days. Many industry experts are reconsidering that philosophy, however.

The National Institute for Standards and Technology (NIST), for example, has revised guidelines that private- and public-sector organizations have been following for more than a decade. The NIST now recommends eliminating password change requirements, arguing that frequent resets may actually be counterproductive. The group says research suggests that frequent resets simply encourage employees to create simple passwords that are easy to remember (and easy to guess).

Additionally, the NIST notes that passwords are not the sole form of protection when they are used in conjunction with other authentication factors. As such, the group suggests that passwords should only be reset in the event of an actual breach.

The NIST has also reversed itself on complex passwords. Instead, the guidelines now recommend the use of long passphrases — simple sentences that should be easy for users to remember but difficult for hackers to guess. Sentences also naturally include upper- and lower-case letters and special characters such as spaces and punctuation. To support the use of passphrases, NIST guidelines now suggest password lengths of up to 64 characters.

Passwords have long been an essential security tool, but password overload is limiting their effectiveness. Old policies requiring users to adopt increasingly complex passwords and change them frequently have not worked, and in many cases have led employees to cut corners. The NIST’s revised guidelines should open the door to password management that effectively strikes a balance between security and ease of use.