7 Unconventional Pieces of Password Wisdom
Challenging common beliefs about best practices in password hygiene.
June 25, 2021
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blta29dacc43585b98d/64f0d2a212090580e8dcf2eb/password3.png?width=700&auto=webp&quality=80&disable=upscale)
The death of the password has long been predicted by hopeful security experts who lament the longstanding issues with the world's oldest authenticator. The truth is that the password is not only alive and kicking, but it still remains the dominant login credential in enterprise settings. Some 70% of organizations rely on a password-centric approach to authentication.
While organizations should definitely try to increase the penetration of multi-factor authentication (MFA) and password-less authenticators across their systems, in the meantime they should do what they can to improve the security of their existing credential systems. One thing to keep in mind is that a lot of new research and guidance in the last few years has changed industry consensus as to the best way of doing this.
The latest iteration of the NIST Digital Identity Guidelines (Special Publication 800-63B), for example, challenged conventional wisdom about password hygiene on several fronts. Read on to glean some of the latest in unconventional wisdom about passwords that cybersecurity leaders should know.
Passwords and password policies are at the fulcrum of the see saw between usability and security. As maligned as they are, they're still the main authenticator in the enterprise and beyond because they're very easy to use.
The old-school wisdom is that passwords must be policed for complexity using composition rules that require a certain number of uppercase, lowercase, numbers, symbols and so on. But recent research shows that these rules have a diminishing margin of return. Not only isn't password randomization-also known as password entropy-- all that effective against cracking mechanisms, but people forget random strings of characters and end up using pretty predictable ways to game the system-p4$$w0rd!, anyone-such that these randomization rules aren't doing much anyway.
According to the NIST Digital Identity Guidelines (Special Publication 800-63B), the better bet instead of complexity rules is to screen new passwords on a couple of important fronts before allowing them to pass muster. Conventional wisdom still stands that new and reset passwords should be blacklisted for including dictionary words, repetitive or sequential characters, or context-specific words like derivations of the name of the service being logged into or the username. But layered on top of that, the latest best practice is to also utilize mechanisms that can compare a potential new password against a known corpuses of previously breached credentials, leveraging databases like Have I Been Pwned to do that.
It used to be that regularly expiring passwords were the best way that organizations could think to fight against the rising tide of stolen passwords on the Dark Web. However, consensus has changed on this. If there's no reason to suspect a password has been stolen, then requiring the user to change it up six months later is a lot of unnecessary wheel-spinning. Meanwhile, if there are signs that the credential is already on someone's password dump, then it should ideally be changed immediately.
So, not only does good password hygiene in 2021 require checks against stolen password corpuses before setting a new credential, but it also should include regular checks of existing passwords. When credentials are flagged, users should be encouraged or required to change their password right away.
The death of the password has long been predicted by hopeful security experts who lament the longstanding issues with the world's oldest authenticator. The truth is that the password is not only alive and kicking, but it still remains the dominant login credential in enterprise settings. Some 70% of organizations rely on a password-centric approach to authentication.
While organizations should definitely try to increase the penetration of multi-factor authentication (MFA) and password-less authenticators across their systems, in the meantime they should do what they can to improve the security of their existing credential systems. One thing to keep in mind is that a lot of new research and guidance in the last few years has changed industry consensus as to the best way of doing this.
The latest iteration of the NIST Digital Identity Guidelines (Special Publication 800-63B), for example, challenged conventional wisdom about password hygiene on several fronts. Read on to glean some of the latest in unconventional wisdom about passwords that cybersecurity leaders should know.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024