Poor password hygiene by employees and customers continues to be a major factor in data breaches, particularly as the cost of compute power falls making brute force attacks easier. Which is why 16-character passwords mixed with capitals, numbers and special characters is the recommended security best practice. Some organizations also encourage staff to at least once a year change their passwords.
But that has led to complaints about having to memorize complex strings.
Now the U.S. National Institute for Standards and Technology (NIST) is recommending a policy which may solve the problem: Allowing long passphrases.
Aa part of a draft guideline on authentication and lifecycle management released this week the agency suggests CISOs consider permitting the use of phrases up to 64 characters, and not necessarily including caps, numbers or special characters.
“Encourage users to make memorized secrets as lengthy as they want, using any characters they like (including spaces), thus aiding memorization,” says the paper.
Not only that, passphrases shouldn’t need to be changed periodically, unless there’s evidence of a compromise or the user asks.
It could work, says a Canadian cyber security expert. “I generally agree with the notion that a longer password doesn’t necessarily need (frequent) rotation,” said Nicholas Johnston, Toronto-based vice-president of global eDiscovery, digital forensics and information security at Duff & Phelps, a corporate finance consultancy headquartered in New York.
“A very long password (or passphrase in this instance) is far less likely to succumb to a brute-force attack which was one of the initial inspirations for requiring password rotation. However, if we adopt long passphrases but don’t get out of the bad password re-use habit (i.e. using the same password for many sites and services) it will still present a risk. If one of the sites that uses your super long passphrase gets breached, you would have to go change all your passwords. Password rotation would mitigate that risk somewhat. A better control is just to have a different password for each site/service and use something like a password manager to keep track of them.”
Most security pros already say passwords should be long and complex, said Merritt Maxim, an identity and access management analyst at Forrester Research. He pointed as an example to Stanford University’s student and faculty guide (which manages to be simple and colourful. See it here.) So for Maxim, NIST’s recommendation already follows password best practices.
However, he added, “deployments of this approach will be constrained for the user experience and resulting supporting costs.”
NIST hasn’t formally approved the recommendation yet and is still taking comments.
Any change to password length will depend on the ability of a login or application to accept longer strings. And long passphrases doesn’t negate the importance of two-factor authentication, which mitigates against stolen passwords.