How safe are your passwords? Real life rules for businesses to live by

While people applaud easier password guidance from NIST, easier is not better. Here’s what you need to consider when creating a company password policy.

Become An Insider

Sign up now and get FREE access to hundreds of Insider articles, guides, reviews, interviews, blogs, and other premium content. Learn more.

Changes to the National Institute of Standards and Technology (NIST) password guidelines were welcomed as long overdue. Security professionals criticized the old guidelines, which recommended a mix of numbers, letters and special characters that are changed periodically.

When I read the new document, I was surprised that it doesn’t account for very common attacks. In short, NIST guidance leaves people who rely solely upon passwords for authentication, which seems to be a majority of accounts, more vulnerable.

Most of the NIST document focuses not on passwords, but on other authentication mechanisms such as token authentication. Passwords as a sole authenticator are only allowed for low-level accounts. This is generally a risk-based decision, although the reality is that most accounts rely on password-only authentication.

Password strength

Regarding passwords, what is not changed is that easily guessed passwords such as dictionary words are not allowed. They do state that there should be rate limiting for log-on attempts to lock out people who attempt brute force password guesses. However, this is also one the most annoying password security features, and much more frequently locks out legitimate users than stops attacks.

The major change that everyone is applauding is that special characters should not be required as long as the password is not an easily guessed word. The new guidance also recommends not requiring periodic password changes.

This looks great, as you don’t have to change passwords frequently. While I don’t necessarily bemoan the lack of special characters, I do take exception with the lack of password changes in the absence of additional authentication mechanisms.

Password cracking

So how much of this new guidance will be appropriate for your company’s password policy? To answer that, let’s first look at how accounts are usually compromised. Most authentication attacks appear to result from phishing attacks or reuse of stolen password files. The hacks of credentials from Yahoo! and similar sites results in postings of account credentials on the dark web. Criminals then take these credentials and attempt to use them on banking websites or companies if the credentials are tied to corporate accounts. Whether it is through phishing or stolen accounts, the strength or composition of the compromised password is irrelevant.

To continue reading this article register now

SUBSCRIBE! Get the best of CSO delivered to your email inbox.