Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


11:30 AM
Jackson Shaw
Jackson Shaw
Connect Directly
E-Mail vvv

Why Relaxing Our Password Policies Might Actually Bolster User Safety

Recent guidance from NIST may seem counterintuitive.

Despite the publicity about breaches, ransomware, and the like, we're still using some pretty dumb passwords. Users typically aim for passwords that are easy to remember for their multiple logins, which they are asked to change frequently. Unfortunately, this has led to too many passwords that are far too easy to hack, causing one of security's biggest headaches.

SplashData posted its sixth annual most common passwords list in February, based on data taken from 5 million leaked emails over the year. Not surprisingly, variations of "password" and "123456" were ranked the top two most commonly used. Other highly used passwords include these:

  • football
  • princess
  • welcome
  • hottie
  • admin

The US National Institute for Standards and Technology (NIST) faced the problem head on in its recent recommendations, Special Publication 800-63-3: Digital Authentication Guidelines, released in June. Looking among many of NIST's recommendations, you'll spot a theme to relax on some policies — yes, relax, despite breaches being on the rise. I've highlighted a few of NIST's recommendations below, and provided my perspective as an identity and access management expert.

Remove Periodic Password Change Requirements
NIST specifically recommends having users create new passwords when they request to do so, or if there is evidence of a compromise. Say what?!

Yes, NIST believes that periodic password changes don't really prevent breaches. However, it also says that passwords should be at least eight characters in length. Ideally, they will be checked against passwords obtained from previous breaches, dictionary words, repetitive or sequential characters (for example, "aaaaaa" and "1234abcd"), and context-specific words, such as the name of the service, the username, and derivatives thereof.

I agree with NIST's recommendation here. Specifically, if an end user creates a sufficiently strong password, then why would you make him or her change it frequently? In fact, periodic password changes likely result in less-secure passwords, as frustrated users decide to opt for easy (and insecure) ones, reasoning that they'll have to change them sooner or later. The key here is to keep the password complex, otherwise we risk having insecure passwords for long periods of the time.

Usability Is Important
NIST points out that usability of authentication systems is paramount. If authentication methods aren't easy for end users, then they will work around complexity by writing down passwords and doing things like replacing vowels with numbers (such as "passw0rd" instead of "password"). Hackers have definitely figured this out already. Password policies and strategies have all been geared toward making passwords too complex to remember, and that has resulted in end users working around the complexity, in turn making passwords more insecure.

An executive once told me how he walked around at night flipping over keyboards and finding passwords written on sticky notes. And while old fashioned sticky notes may escape hackers' best efforts, digital documents can't.

Check Passwords Against a Dictionary of Compromised Password
Hackers typically will perform dictionary attacks against a target. They'll run through a list of passwords to see which one works. So one additional recommendation is to check a changed password against a database of known, compromised passwords. If the password has been compromised previously (such as "12345" or "StarWars") you can guess the hackers have that in their dictionary.

Personally, I think checking passwords against a dictionary of compromised passwords is the best practice to take to ensure that you're avoid using one that is commonly hacked.

Knowledge-Based Authentication Is Out
NIST recommends that knowledge-based authentication (KBA) be discontinued: "Memorized secret verifiers SHALL NOT permit the subscriber to store a hint that is accessible to an unauthenticated claimant. Verifiers SHALL NOT prompt subscribers to use specific types of information (e.g., "What was the name of your first pet?") when choosing memorized secrets."

I agree with this guidance as well. With the availability of Facebook and LinkedIn, it is increasingly easy for the bad guys to troll around for answers to things like "What high school did you go to?" or "What city did you meet your spouse in?" (This is especially true for celebrities, who must contend with the fact that all this information is publicly available, making them ridiculously easy to hack.) Questions such as "What's your mother's maiden name?" are also well out of favor now for the same reasons.

I strongly recommend that anyone who has KBA-type questions associated with a system go take a second look at those Q&As to ensure that 1) the questions cannot be answered by looking at your Facebook or LinkedIn profile, and 2) that you update your questions per my previous point and ensure that your answers are still accurate.

Passwords and Beyond
The upshot of this is that in its new guidelines related to authentication and authenticators, NIST has prioritized usability over complexity. NIST is putting the onus on the manufacturers of these systems to do a better job rather than putting it on the end user to remember complex password policies, which inevitably results in passwords being written down or stored in a Word document or Excel spreadsheet — like the infamous Sony breach, during which hackers simply searched through documents with "password" in their titles before stumbling on hundreds of valuable credentials.

Beyond changing these simple password policies, the right strategy when it comes to user authentication is one that is both adaptive and multifactor — one that accounts for human blunders and sophisticated hacks.

I'm looking forward to less rigor related to how often I have to change my password. IT, are you reading this?

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.


Jackson Shaw is vice president of product management for One Identity, the identity & access management (IAM) business of Quest Software. Prior to Quest, Jackson was an integral member of Microsoft's IAM product management team within the Windows server marketing group at ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
User Rank: Strategist
9/11/2017 | 5:40:16 PM
Excellent advice all around - here's a trick I use for KBA
Thanks for this great article. I'm glad NIST is leading the way on this.

My biggest complaint about well-meaning security policies is exactly what you're saying here: they're so damn complex and annoying that they actually encourage bad password practices. Stop the madness!

One trick I use (besides a password manager) is regarding KBA. As you say, most of the answers to security questions can be found on social media or simple web searches. My solution? Fake it. I created a fictional "life" and use that information. You only needed a few pieces of information (stored securely in an encrypted password manager lest you forget): male & female name (for any person variant), car model, two wild cards (one for city/school/street and one for school mascot/pet/etc.), and perhaps one random word for more obscure questions. Make them memorable but wholly unrelated to your life and I think it's a pretty secure alternative if you need to create these security questions. If you use a password manager you could even go a step further and use unique fake answers for each account. You might get a free tin foil hat for doing that. :)

Hopefully MFA will become ubiquitous very soon and make even this little trick obsolete.
User Rank: Ninja
9/12/2017 | 11:00:08 AM
My password advice
Hard to figure out - easy to remember, right?  So "erwnhgkjnwkj21" is not a good choice.  People have one universal weird interest -  HOBBIES - things we like and enjoy that we NEVER FORGET as individuals.  So I urge my password recommendation to be a combination of 2 hobby terms and a weird character between them.  Almost impossible to hack and easy for the user to remember.  Easy to sequence too. 
User Rank: Strategist
9/12/2017 | 2:48:33 PM
Re: My password advice
The problem with using hobbies is the same problem with using any other personal information: it's not at all hard to figure out for most people and actually as easy to hack as any of the standard security questions. Hobbies are one of the things people share most on social, especially on sites like Pinterest and Instagram that are practically custom built for sharing hobbies. Any bad actor targeting someone can scan someone's social feed for hobbies, and they'd also be included in any breach dumps for purchase on the black market.

The most secure passwords have no connection to our personal lives.
User Rank: Ninja
9/12/2017 | 3:23:32 PM
Re: My password advice
True to the extent that hobby interests are revealed on social media.  Still a better choice and if i could mentally manage a random password generator (they exist) === great.  I suppose a good code to use would be an MD5 HASH of a file!!!!!  Let somebody try to crack that one AS LONG AS THE FILE ITSELF is not advertised. 
User Rank: Ninja
9/13/2017 | 3:29:36 PM
Equifax Website in Argentina
Was held secure by the totally unique and innovative user-password combo of " admin \ admin " !!!!
User Rank: Apprentice
9/12/2017 | 3:17:03 AM
The UK Government recommended similar policies in January 2016
The UK goverment recommendations for passwords https://www.ncsc.gov.uk/guidance/password-guidance-simplifying-your-approach have a lot of similarities to those in this article. 
User Rank: Strategist
9/26/2017 | 2:56:05 PM
Great Article, passed this one to Security
They want to lock down everything and lock it down with the multifactor authentication.  Easier passwords would be better and probably more security with this approach.  I don't use anything resembling my life, just passing obscure merchandise sitting on my desk.  Those come and go more frequently that the password change.
User Rank: Ninja
9/26/2017 | 3:47:16 PM
Re: Great Article, passed this one to Security
Like it or not, 2 factor authentication is the future and it should be used NOW!!!
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-11-28
An issue was discovered in the Linux kernel before 5.2.6. On NUMA systems, the Linux fair scheduler has a use-after-free in show_numa_stats() because NUMA fault statistics are inappropriately freed, aka CID-16d51a590a8c.
PUBLISHED: 2020-11-28
An issue was discovered in __split_huge_pmd in mm/huge_memory.c in the Linux kernel before 5.7.5. The copy-on-write implementation can grant unintended write access because of a race condition in a THP mapcount check, aka CID-c444eb564fb1.
PUBLISHED: 2020-11-28
An issue was discovered in mm/mmap.c in the Linux kernel before 5.7.11. There is a race condition between certain expand functions (expand_downwards and expand_upwards) and page-table free operations from an munmap call, aka CID-246c320a8cfe.
PUBLISHED: 2020-11-28
An issue was discovered in kmem_cache_alloc_bulk in mm/slub.c in the Linux kernel before 5.5.11. The slowpath lacks the required TID increment, aka CID-fd4d9c7d0c71.
PUBLISHED: 2020-11-28
An issue was discovered in romfs_dev_read in fs/romfs/storage.c in the Linux kernel before 5.8.4. Uninitialized memory leaks to userspace, aka CID-bcf85fcedfdd.