It’s no secret that most computer users have password fatigue; many people are forced to remember numerous passwords, each with their own set of requirements and often with mandated refresh cycles. The result is that security is actually made weaker as users stumble to create easy to remember passwords or simply write down their passwords on physical media. A new set of standards put forth by the National Institute of Standards and Technology look to address the password security problem.
The National Institute of Standards and Technology (NIST) set the standards followed by government organizations for password security. Because of its influence, most businesses also adopt the same security practices, accepting them as best practices when forming policies for their own companies. The NIST has drafted a new set of standards to address problems associated with password management.
While the new Digital Identity Guidelines document is extensive, these are a few of the big points that should help address password fatigue and security:
New Password Pre-checks: Every time a security breach gets published it is invariably followed up by a list of horrible passwords that an overwhelming majority of the accounts used. Entries like “password”, or ‘Abc123” often make the top of these lists. Under the new guidelines, these weak passwords will be automatically rejected at the creation stage.
Annual Password Changes are no Longer Mandatory: NIST has now given into the fact that periodic password changes not only don’t help, but can actually make things worse. Part of the reason many users fall back on horrible passwords is that they are often required to change their password every month or even every couple weeks. Under the new guidelines, passwords should only be changed if a user requests a change or if there is evidence of compromised credentials.
Relaxed Password Complexity Requirements: Originally, passwords mandated special characters and number combos because it increased the number of potential combinations a hacker would need to test. Unfortunately, computer algorithms and bots make it possible to test hundreds of password combinations every minute. This means that adding in a couple extra characters only makes it more difficult for the user to remember and creates a false sense of security. This in part goes back to the fact that when given the option, a user will create the simplest password to remember that fulfils the creation requirements.
The NIST goes on to address the role of multi-factor authentication in user account security. Multi-factor authentication has already risen to become a much stronger and more reliable form of account security than passwords can ever achieve on their own. Requiring secondary forms of identification, usually in the form of a temporary code delivered to your smartphone, means that it is nearly impossible to gain unauthorized access to an account. As more systems adopt these advanced forms of protection, security is improved and password complexity becomes much less critical, which is a win-win for everyone.