Skip to content

OPLIN 4cast #543: Even the government agrees password security guidelines are awful

Posted in 4cast

Are you tired of changing your password every few months? Annoyed by the stringent level of complexity so many applications and websites now require of your passwords? You’re not alone and, more importantly, those measures don’t actually seem to do much in terms of enhancing security. It’s now gotten to the point where the United States National Institute for Standards and Technology (NIST) has drafted new guidelines for passwords for the public sector. These guidelines are surprisingly progressive. They eliminate periodic password changes and remove imposed password complexity; instead, passwords will be checked directly against a list of commonly-used, expected, or compromised passwords. This way, users will be prevented from creating passwords like “12345678.” No exact ETA yet on when these changes will be implemented, but this is a huge step in combating password fatigue and towards making passwords actually more secure.

    • New password guidelines say everything we thought about passwords is wrong [Venture Beat] “Although NIST’s rules are not mandatory for nongovernmental organizations, they usually have a huge influence as many corporate security professionals use them as base standards and best practices when forming policies for their companies.”
    • Vendors approve of NIST password draft [CSO Online] “NIST’s Paul Grassi, one of the authors of the report, noted that many of the above guidelines are now only strong suggestions and are not mandatory yet. The public comment period closed on May 1 and now the draft goes through an internal review process. It is expected to be completed by early to mid summer.”
    • NIST’s new password rules – what you need to know [Naked Security] “Additionally, and this is a big change: SMS should no longer be used in two-factor authentication (2FA). There are many problems with the security of SMS delivery, including malware that can redirect text messages; attacks against the mobile phone network (such as the so-called SS7 hack); and mobile phone number portability.”
    • What’s a Good Password? NIST says One that hasn’t been stolen [The Security Ledger] “Together, the recommendations offer counter-intuitive, but well supported advice on how to coach users to select more secure passwords to protect their accounts. For example, NIST’s guidelines suggest abandoning length and complexity requirements for passwords, such as requiring passwords of a certain length and mandating the use of letters, numbers and special characters in the password. Such practices are the bedrock of most current password regimes, but NIST said they often work at cross purposes with efforts to protect accounts.”

From the Ohio Web Library: