Identity & Access Management , Security Operations
NIST Calls for Major Overhaul in Typical Password Practices
Draft Guidelines Call for Longer, Randomized Passwords Instead of Memorized PhrasesDigital passwords have become too illogical and difficult for end users to manage, according to the latest guidance from the National Institute of Standards and Technology.
See Also: Webinar | Identity Crisis: How to Combat Session Hijacking and Credential Theft with MDR
NIST recently released the second public draft of its digital identity guidelines, SP-800-63-4, calling for an overhaul of password practices. Under the new guidance, end users would no longer be required to routinely change their passwords - but their login information would need to be longer and more randomized than ever before.
Experts have long called for an overhaul of standard password practices, and the Federal Trade Commission in 2016 urged organizations to end mandatory password changes. Chief technologists and security researchers in leading technology firms such as Microsoft have also urged CSPs to transition away from password expiration standards, warning that the practice actually weakens security by encouraging users to create simpler, more predictable passwords.
The proposed recommendations call for password policy administrators to ditch the notion that logins should contain at least one number, one special character and a combination of upper and lowercase letters. Cloud service providers and verifiers should instead require passwords to be a minimum of 15 characters in length, according to NIST, and force changes to user login information only when there is evidence of a compromise of the authenticator.
No other composition rules are required under the new recommendations, which also call for an end to storing password hints and security questions. CSPs are encouraged to allow for maximum password lengths of at least 64 characters, including the space character.
NIST has consistently aimed to modernize password guidance in recent years, initially calling for CSPs to forego arbitrary password complexity requirements in 2019 (see: Surprising Password Guidelines From NIST).
The latest updated guidance says users who store login information with CSPs should undergo periodic reauthentication at least every 30 days and recommends multifactor cryptographic authentication, among other forms of authentication beyond passwords. Organizations that store passwords for users should also develop new blocklists that contain known commonly used or compromised passwords, under the NIST guidelines.
The new NIST guidance recommends CSPs immediately "suspend, invalidate or destroy" compromised password and login information following the detection of an account compromise. Organizations are also encouraged to provide users with backup authentication methods to regained secured access to their accounts.
NIST's latest recommendations come after the agency received nearly 4,000 specific comments from stakeholders and the public to modernize its digital identity guidelines. The agency now seeks feedback on a series of key questions included in the draft proposal, such as whether additional implementation recommendations should be included and what specific metrics could enable more rapid adoption of the latest guidelines.