11:30 AM
Jackson Shaw
Jackson Shaw
Connect Directly
E-Mail vvv

Why Relaxing Our Password Policies Might Actually Bolster User Safety

Recent guidance from NIST may seem counterintuitive.

Despite the publicity about breaches, ransomware, and the like, we're still using some pretty dumb passwords. Users typically aim for passwords that are easy to remember for their multiple logins, which they are asked to change frequently. Unfortunately, this has led to too many passwords that are far too easy to hack, causing one of security's biggest headaches.

SplashData posted its sixth annual most common passwords list in February, based on data taken from 5 million leaked emails over the year. Not surprisingly, variations of "password" and "123456" were ranked the top two most commonly used. Other highly used passwords include these:

  • football
  • princess
  • welcome
  • hottie
  • admin

The US National Institute for Standards and Technology (NIST) faced the problem head on in its recent recommendations, Special Publication 800-63-3: Digital Authentication Guidelines, released in June. Looking among many of NIST's recommendations, you'll spot a theme to relax on some policies — yes, relax, despite breaches being on the rise. I've highlighted a few of NIST's recommendations below, and provided my perspective as an identity and access management expert.

Remove Periodic Password Change Requirements
NIST specifically recommends having users create new passwords when they request to do so, or if there is evidence of a compromise. Say what?!

Yes, NIST believes that periodic password changes don't really prevent breaches. However, it also says that passwords should be at least eight characters in length. Ideally, they will be checked against passwords obtained from previous breaches, dictionary words, repetitive or sequential characters (for example, "aaaaaa" and "1234abcd"), and context-specific words, such as the name of the service, the username, and derivatives thereof.

I agree with NIST's recommendation here. Specifically, if an end user creates a sufficiently strong password, then why would you make him or her change it frequently? In fact, periodic password changes likely result in less-secure passwords, as frustrated users decide to opt for easy (and insecure) ones, reasoning that they'll have to change them sooner or later. The key here is to keep the password complex, otherwise we risk having insecure passwords for long periods of the time.

Usability Is Important
NIST points out that usability of authentication systems is paramount. If authentication methods aren't easy for end users, then they will work around complexity by writing down passwords and doing things like replacing vowels with numbers (such as "passw0rd" instead of "password"). Hackers have definitely figured this out already. Password policies and strategies have all been geared toward making passwords too complex to remember, and that has resulted in end users working around the complexity, in turn making passwords more insecure.

An executive once told me how he walked around at night flipping over keyboards and finding passwords written on sticky notes. And while old fashioned sticky notes may escape hackers' best efforts, digital documents can't.

Check Passwords Against a Dictionary of Compromised Password
Hackers typically will perform dictionary attacks against a target. They'll run through a list of passwords to see which one works. So one additional recommendation is to check a changed password against a database of known, compromised passwords. If the password has been compromised previously (such as "12345" or "StarWars") you can guess the hackers have that in their dictionary.

Personally, I think checking passwords against a dictionary of compromised passwords is the best practice to take to ensure that you're avoid using one that is commonly hacked.

Knowledge-Based Authentication Is Out
NIST recommends that knowledge-based authentication (KBA) be discontinued: "Memorized secret verifiers SHALL NOT permit the subscriber to store a hint that is accessible to an unauthenticated claimant. Verifiers SHALL NOT prompt subscribers to use specific types of information (e.g., "What was the name of your first pet?") when choosing memorized secrets."

I agree with this guidance as well. With the availability of Facebook and LinkedIn, it is increasingly easy for the bad guys to troll around for answers to things like "What high school did you go to?" or "What city did you meet your spouse in?" (This is especially true for celebrities, who must contend with the fact that all this information is publicly available, making them ridiculously easy to hack.) Questions such as "What's your mother's maiden name?" are also well out of favor now for the same reasons.

I strongly recommend that anyone who has KBA-type questions associated with a system go take a second look at those Q&As to ensure that 1) the questions cannot be answered by looking at your Facebook or LinkedIn profile, and 2) that you update your questions per my previous point and ensure that your answers are still accurate.

Passwords and Beyond
The upshot of this is that in its new guidelines related to authentication and authenticators, NIST has prioritized usability over complexity. NIST is putting the onus on the manufacturers of these systems to do a better job rather than putting it on the end user to remember complex password policies, which inevitably results in passwords being written down or stored in a Word document or Excel spreadsheet — like the infamous Sony breach, during which hackers simply searched through documents with "password" in their titles before stumbling on hundreds of valuable credentials.

Beyond changing these simple password policies, the right strategy when it comes to user authentication is one that is both adaptive and multifactor — one that accounts for human blunders and sophisticated hacks.

I'm looking forward to less rigor related to how often I have to change my password. IT, are you reading this?

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.


Jackson Shaw is senior director of product management for One Identity, the identity & access management (IAM) business of Quest Software. Prior to Quest, Jackson was an integral member of Microsoft's IAM product management team within the Windows server marketing group at ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
9/13/2017 | 3:29:36 PM
Equifax Website in Argentina
Was held secure by the totally unique and innovative user-password combo of " admin \ admin " !!!!
User Rank: Ninja
9/12/2017 | 3:23:32 PM
Re: My password advice
True to the extent that hobby interests are revealed on social media.  Still a better choice and if i could mentally manage a random password generator (they exist) === great.  I suppose a good code to use would be an MD5 HASH of a file!!!!!  Let somebody try to crack that one AS LONG AS THE FILE ITSELF is not advertised. 
User Rank: Apprentice
9/12/2017 | 2:48:33 PM
Re: My password advice
The problem with using hobbies is the same problem with using any other personal information: it's not at all hard to figure out for most people and actually as easy to hack as any of the standard security questions. Hobbies are one of the things people share most on social, especially on sites like Pinterest and Instagram that are practically custom built for sharing hobbies. Any bad actor targeting someone can scan someone's social feed for hobbies, and they'd also be included in any breach dumps for purchase on the black market.

The most secure passwords have no connection to our personal lives.
User Rank: Ninja
9/12/2017 | 11:00:08 AM
My password advice
Hard to figure out - easy to remember, right?  So "erwnhgkjnwkj21" is not a good choice.  People have one universal weird interest -  HOBBIES - things we like and enjoy that we NEVER FORGET as individuals.  So I urge my password recommendation to be a combination of 2 hobby terms and a weird character between them.  Almost impossible to hack and easy for the user to remember.  Easy to sequence too. 
User Rank: Apprentice
9/12/2017 | 3:17:03 AM
The UK Government recommended similar policies in January 2016
The UK goverment recommendations for passwords https://www.ncsc.gov.uk/guidance/password-guidance-simplifying-your-approach have a lot of similarities to those in this article. 
User Rank: Apprentice
9/11/2017 | 5:40:16 PM
Excellent advice all around - here's a trick I use for KBA
Thanks for this great article. I'm glad NIST is leading the way on this.

My biggest complaint about well-meaning security policies is exactly what you're saying here: they're so damn complex and annoying that they actually encourage bad password practices. Stop the madness!

One trick I use (besides a password manager) is regarding KBA. As you say, most of the answers to security questions can be found on social media or simple web searches. My solution? Fake it. I created a fictional "life" and use that information. You only needed a few pieces of information (stored securely in an encrypted password manager lest you forget): male & female name (for any person variant), car model, two wild cards (one for city/school/street and one for school mascot/pet/etc.), and perhaps one random word for more obscure questions. Make them memorable but wholly unrelated to your life and I think it's a pretty secure alternative if you need to create these security questions. If you use a password manager you could even go a step further and use unique fake answers for each account. You might get a free tin foil hat for doing that. :)

Hopefully MFA will become ubiquitous very soon and make even this little trick obsolete.
To Be Ready for the Security Future, Pay Attention to the Security Past
Liz Maida, Co-founder, CEO & CTO, Uplevel Security,  9/18/2017
1.9 Billion Data Records Exposed in First Half of 2017
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/20/2017
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Jan, check this out! I found an unhackable PC.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.