Password Paradigm Shift: New Rules for Password Security

The US Government says you should stop using Password Complexity and Password Resets… so why are you still using them?

In the high stakes arena of cybersecurity, staying ahead of the curve is crucial. Yet, many organizations cling to outdated practices that may actually be hindering their security efforts. The National Institute of Standards and Technology, or NIST, publishes countless standards including some of the most definitive cyber security standards in the world. A few years ago now in 2020, NIST updated their digital identity guidelines with some important changes that most computer administrators seem to be unaware of or ignoring.

In this post, we’ll explore three cybersecurity tips endorsed by NIST and reviewed by Dito in-house expert, Kevin McGrail (aka “KAM”). These insights challenge conventional wisdom and offer a fresh perspective on how to enhance your digital security. Whether you’re an IT professional or a concerned individual, these tips will help you rethink your approach to password management and overall cybersecurity strategy.

Get rid of password complexity and instead require long passwords

Don’t believe me, trust the government, they are here to help and here’s the chapter and verse.

Specifically, in the NIST Digital Identity Guidelines, SP 800-63B Section 5.1.1.2 paragraph 9: “recommends against the use of composition rules (e.g., requiring lower-case, upper-case, digits, and/or special characters) for memorized secrets. These rules provide less benefit than might be expected…”

KAM Tip #1: Use Passphrases, NOT Passwords

It’s comical, literally, how bad the strength of complex passwords is compared to passphrases. This comic from xkcd explains it very well (https://xkcd.com/936/):

Administrators, you can use the Password Generator at https://preshing.com/20110811/xkcd-password-generator/ to get started but I recommend you set a minimum password length of 20 characters with no complexity requirements.

Then train users to use passphrases such as 4-6 words from a song they like. It will give them a really strong password that’s easy to remember! And if your security framework is antiquated and requires complexity, quote NIST’s Digital Identity Guidelines for why you aren’t doing it.

Don’t be a cybersecurity checkbox administrator and instead move the cybersecurity needle the right way!

Don’t Require Periodic Password Changes

“Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.”, from NIST SP 800-63B Section 5.1.1.2 paragraph 9.

If you are using them, stop. If your security framework requires them, quote this paragraph for why you aren’t resetting them.

KAM Tip #2: Anything users have to record or write down is less secure. A passphrase like is much easier to remember a passphrase and requiring users to arbitrarily change their passwords makes them have to write it down!

Embrace Multi-Factor Authentication (MFA)

KAM’s Final Tip #3: Embrace Multi-Factor Authentication (MFA)!

To close things out for this article, MFA solutions like Google’s 2-Step Verification (2SV) literally stop 99.9999999% of attacks.

For over 20 years, I’ve been the principal author of threat data that protects in excess of 30% of all the domains on the internet. However, I’ve only worked on a handful of incidents where MFA was compromised. It can happen but it’s extraordinarily rare. So if you haven’t already, please Embrace MFA; Start Using Passphrases; and End Routine Password Resets.

These recommendations, backed by NIST guidelines, challenge traditional notions of password security. By adopting these practices, organizations can significantly enhance their cybersecurity posture while also improving user experience.

Remember, effective cybersecurity isn’t about ticking boxes or following outdated rules. It’s about implementing smart, evidence-based strategies that genuinely protect your digital assets. As cyber threats continue to evolve, so too must our defenses.

The three key takeaways are: