A Fundamental Shift in Passwords
By CMD Technology Group
6 min read
Whether you are the consummate computer professional or completely computer illiterate, managing passwords can be a major task. While the typical user will be required to remember their personal passwords, the computer professional will most likely need to manage passwords to accounts that are not their own (i.e., service accounts, admin accounts, etc…). Let’s face it; we all find passwords annoying. In this day and age, we have passwords or pins for just about everything and managing them all can be a nightmare. Some of the tasks involved in managing passwords include:
Why Do We Have to Have Passwords?
Passwords are the cheapest form of protection for our information. To implement protection schemes that require pass-cards or biometrics (fingerprints) the cost to implement goes up drastically. Who do you think your bank will pass the cost onto?
Thanks to known hacks and other factors, we are required to change our passwords over and over. Traditionally, these were the recommendations for the proper and improper methods to create our passwords:
Do some or all of the following:
After Creating Passwords…Next Steps
NIST
The National Institute of Standards and Technology (NIST) has come up with some new guidelines for creating passwords after years of observing how well the recommendations above have served us. Who is NIST? NIST is a non-regulatory federal agency whose mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life. More information on NIST can be found here: https://www.nist.gov/. Why should we listen to NIST? Because NIST developed the standards that all US federal agencies must follow: FIPS (Federal Information Processing Standards).
NIST’s new guidelines for passwords are published here: https://pages.nist.gov/800-63-3/ sp800-63b.html. The document uses legal syntax and can be difficult to read. For instance, the document uses the term Memorized Secret Verifiers to refer to passwords. Below are the current password policy recommendations. These are translated from the legalese where needed. Note that NIST refers to a person using a password as a subscriber.
Password Managers
Proper password managers have the following traits:
The Big Changes You Need to Know
The purpose of allowing all Unicode and ASCII characters is not to promote password complexity. It is to allow the subscriber to choose the password they are comfortable with. The need for complex passwords mixing numbers, letters, case, and extended characters is no longer recommended. Studies done by NIST and other organizations show that complex password policies actually result in weaker passwords with many support issues.
Frequent password changes are not recommended. For those of you tired of changing your password every 45 days, this should make you happy. Those same studies mentioned above show that frequent password changes are detrimental to the creation of strong passwords. The more you have to change a password, the more human nature is going to kick in to make it easier to remember password.
Password screening requirements are now recommended. When allowing subscribers to change passwords, compare the new password against a list that contains values known to be commonly-used, expected, or compromised. For example:
If you have a question about any of our solutions or any feedback you’d like to share, contact us. We would love to hear from you!
Get in touch
You can email us at afernandez@cmdtg.com
Give us a call at 1-800-806-4173
Or contact us using the form below