Delap advisors can help you achieve your business goals. Learn How
Most company password policies employ a few security measures that, for a long time, have been largely regarded as unchallenged, logical best practices. These measures are typically: password rotations every 90 days, complexity requirements (upper, lower, number, and special characters), etc. For domain administrators and end-users alike, these restrictions have long been the bane of our password management experience.
But let's admit it, you probably have terrible passwords; we all do. According to a 2017 survey by Keeper Security, most people have a single password that they use across all systems. We all know that this password must rotate periodically on many platforms, but that isn’t typically a big issue. Why? Because many employees also know exactly how to get around this. We replace a letter with a similar special character (i.e. S vs $ or I vs.!), increment the number at the end by 1, or use a different special character before the number at the end. Rinse and repeat. None of this behavior is beneficial for security. Be honest, have I just described your password for your social media, online banking, work computer, home computer, and iTunes account? If so, you are not alone.
Conventional wisdom has long said that increased password complexity and periodic password resets can only be a good thing. More complex and more frequent rotations lead to strong passwords, right? In reality, complex password requirements and frequent rotation of passwords are doing more harm than good. The newly updated NIST guidelines on digital identity controls have caused a lot of chatter within the security community.
They are focused on making users' lives easier, not harder, and may have a real impact on how your organization manages its password policy.
Making users reset their passwords every few months (i.e., the proverbial 90-day rotation) is a classic security measure. The thinking here is that any unauthorized person who obtained a user's password will soon be locked out when the password is forced to change. According to research, NIST guidelines and, let's be honest, our own password habits, this does not actually work. Users tend to change their passwords in predictable and convenient patterns. So, if a hacker already knows one of a user's previous passwords, it is not going to be difficult for them to crack the new one in most cases.
The new NIST guidelines reveal an important shift in the password policy paradigm: easier, more convenient security will, in turn, make more people take better security precautions. NIST has put forward the following recommendations of what to exclude from your password management policy:
Now, there has been an interesting reaction from companies who hear about these changes. Delap has fielded a few inquiries along the lines of, "I just saw NIST's new guidelines and I was wondering if it would be okay to remove rotations and complexity requirements at my organization?" The problem is that this question is overlooking a few key elements of the NIST guidelines. They do not stop at just recommending that these password security controls are turned off. Importantly, NIST has also put forth a strengthened list of controls that companies should be implementing in addition to removing rotations and complexity requirements:
Yes, NIST guidelines are now recommending the removal of periodic password rotations and complexity requirements. However, those recommendations are not presented as the single, end-all measure that should be implemented. It is actually far from it! Adopting these new password guidelines needs to occur alongside other stringent and secure password controls as noted above. Additionally, initial and ongoing employee education on how to protect and create secure passwords is necessary.
So, before we all rejoice at not having to change our password every time we get that pesky email from the IT Department, we need to ensure that our entire user identity and access management environment is secure. If you, your IT Department or anyone else has questions regarding these newly updated guidelines, please reach out to the Delap Managed IT Services Team!