Let’s face it, complicated, alphanumeric passwords are one of the worst parts about being online. With the plethora of websites and online applications requiring us to create accounts and passwords, the advice of password security experts is easy to ignore.
As the computing power available for password cracking continues to grow, poor password hygiene has led businesses and organizations to enforce stronger password policies such as 10-character passwords mixed with capital letters, numbers, and special characters.
Security practices like this, however, have led to user complaints when it comes down to usability – especially in the work place. Can you blame them? I mean, balancing life with work is tough enough. When you add hurdles such as account lockouts due to complex passwords, you’ve got a seriously frustrating distraction. But guess what? It doesn’t need to be this complicated and the government is here to help.
NIST Updates Password Policy Guidelines – Passphrases are Where It’s At
That’s right, the National Institute of Standards and Technology (NIST) has updated its guidance for password complexity in the final version of Special Publication 600-83. The biggest update: encouraging end users to choose longer passphrases. In their latest guideline on authentication and lifecycle management, NIST CISOs are allowing at least 64 characters in length to support the use of passphrases. To help aid memorization, users are encouraged to make memorized secrets as lengthy as they want, using any characters they like.
So What Makes Passphrases Better than Complex Password Policies?
- Passphrases favor the user as they are easier to remember than a random string of symbols and letters combined together such as “#!wA$WR0^6”. It is much easier to remember a phrase from your favorite book or a quote from your favorite song: “At least I’m not as sad as I used to be”.
- Passwords are typically easier to crack or guess and have less entropy. When it comes to measuring how unpredictable a password is, longer passwords that are easier to remember tend to have more entropy than shorter passwords that are easier to forget.
- Passphrases are supported by major OS, applications and Identity Providers. Most OS like Windows and Mac allow passphrases of up to 127 characters long. This is also the case for SSO Identity providers. Streamlined authentication providers such as PortalGuard can also allow users to opt for longer passphrases for maximum security.
- Poor usability due to complex password requirements can create workarounds that are insecure. With all those special character requirements, and frequent password changes, NIST acknowledges that users often work around these types of restrictions in a way that is counterproductive. Emphasizing password length for password phrases that are easy for the user to remember makes it less likely for them to be written down or stored in another unsafe manner.
- Passphrases aren’t required to be changed arbitrarily (from NIST’s standpoint that is) unless there is a user request or evidence of authenticator compromise.
- Passphrases easily satisfy complex rules and are next to impossible to crack. For those that prefer or need to use punctuation and upper/lowercases to meet complexity requirements, these can also be used in passphrases. Also, the most advanced password cracking tools breaks down at around 10 characters, preventing additional brute-force hacking.
The Shift in Strategy – The Strength of “Memorized Secrets”
In spite of the extensive frustration with the use of passwords from both a usability and security standpoint, it’s clear that passwords remain a widely used form of authentication. In an effort to address security concerns and the limited ability for humans to memorize such complex passwords, NIST has outlined a password strategy for creating and changing these memorized secrets (passphrases) in section 10.2.1 of their latest guideline:
- Clearly communicate information on how to create and change memorized secrets.
- Clearly communicate memorized secret requirements.
- Allow at least 64 characters in length to support the use of passphrases. Encourage users to make memorized secrets as lengthy as they want, using any characters they like (including spaces), thus aiding memorization.
- Do not impose other composition rules (e.g., mixtures of different character types) on memorized secrets.
- Do not require that memorized secrets be changed arbitrarily (e.g., periodically) unless there is a user request or evidence of authenticator compromise.
- Provide clear, meaningful and actionable feedback when chosen passwords are rejected (e.g., when it appears on a “black list” of unacceptable passwords or has been used previously). Advise users that they need to select a different secret because their previous choice was commonly used.
Preparing Organizations for the Trend of Usability – What’s next?
Before you go ahead and start changing up your security policies to align with these new guidelines, this information is just the tip of the iceberg. As with any significant change to a security program, password policies need to take some time to evolve as we learn more about how people are using them. With that being said, considering single-sign on (SSO) for security and a better user experience is a good place to start.
If your systems and applications don’t allow users to create passwords that line up with NIST recommendations, chances are, you won’t get very far. If you haven’t taken advantage of SSO yet, consider implementing one from an Identity Provider that supports the use of passphrases. Not only will this reduce the number of passwords your users have to remember, but it will also help to move away from application-specific password policies, which tend to be much less secure. With the ability to hook into your existing LDAP, solutions like PortalGuard have built in password complexity rules that support the usage of spaces and the ability to require much longer passphrases (e.g. minimum length of 16 or more characters). The software’s white-label functionality also allows admins to update the password change process to both educate end-users about passphrases and require their usage. An IdP like PortalGuard allows your organization to both improve user awareness and streamline the number of password polices in place. Gone are be the days when administrators have to manage policies for each application. PortalGuard provides security and usability in a single, accessible package.