The best password advice right now

Short and crackable vs. long, complex and prone to reuse? The password debate rages on.

Become An Insider

Sign up now and get FREE access to hundreds of Insider articles, guides, reviews, interviews, blogs, and other premium content. Learn more.

Ever since NIST submitted SP 800-63 Digital Identity Guidelines for review a few years ago, the computer security world has been debating the agency's newest recommended password policies, which run starkly contrary to decades of previous advice.

In a nutshell, among other things, NIST now says that policies that require long, complex, frequently changing passwords puts users and their companies at greater risk because it increases the odds that people will reuse those hard to remember passwords in multiple, unrelated security domains, and a compromise of one domain can more easily lead to a compromise in the other domains where the same password is used.

NIST’s case is backed up by two decades of compromises where captured logon credentials were used in more, otherwise unrelated, security domains. I can’t count the number of companies and websites that were compromised because of shared credentials from another location.

But it’s hard to overturn decades of previous best practice advice, especially when the typical short passwords that people like to use can often be cracked in a few days or less, while longer and more complex passwords will often withstand years of attacks, and certainly not be broken in the 90 days that most passwords are now required to be changed within an organization.

Adding to the confusion is the fact that none of the major computer security regulations/guidelines, includng HIPAA, SOX, PCI-DSS, NERC, and CIS, recommend the newer password policy advice. And as far as I can tell, don’t plan to anytime soon. So, computer security followers are left between a rock and a hard place. Follow the NIST guidelines to decrease your risk and you end up with an immediate audit finding anytime your environment is reviewed.

It’s just easier to follow the existing regulation and decades-old password advice and call it a day.

Short and crackable vs. long and reused?

It was just this question that I recently debated with my company's Chief Hacking Officer, and world’s most famous hacker, Kevin Mitnick. Kevin, long having been a reformed, trusthworthy, whitehat hacker, has had a very successful penetration testing company. His own hacking experiences tell him that long (although not necessarily complex) passphrases are absolutely key to a good password policy. I was in the other corner arguing from NIST’s point of view. [Disclaimer: I work for security awareness training provider KnowBe4.]

To continue reading this article register now

SUBSCRIBE! Get the best of CSO delivered to your email inbox.