Friday, June 18, 2021

Allow users to choose long passphrases for passwords, NIST proposes

Poor password hygiene by employees and customers continues to be a major factor in data breaches, particularly as the cost of compute power falls making brute force attacks easier. Which is why 16-character passwords mixed with capitals, numbers and special characters is the recommended security best practice. Some organizations also encourage staff to at least once a year change their passwords.

But that has led to complaints about having to memorize complex strings.

Now the U.S. National Institute for Standards and Technology (NIST) is recommending a policy which may solve the problem: Allowing long passphrases.

Aa part of a draft guideline on authentication and lifecycle management released this week the agency suggests CISOs consider permitting the use of phrases up to 64 characters, and not necessarily including caps, numbers or special characters.

“Encourage users to make memorized secrets as lengthy as they want, using any characters they like (including spaces), thus aiding memorization,”  says the paper.

Not only that, passphrases shouldn’t need to be changed periodically, unless there’s evidence of a compromise or the user asks.

It could work, says a Canadian cyber security expert. “I generally agree with the notion that a longer password doesn’t necessarily need (frequent) rotation,” said Nicholas Johnston, Toronto-based vice-president of global eDiscovery, digital forensics and information security at Duff & Phelps, a corporate finance consultancy headquartered in New York.

“A very long password (or passphrase in this instance) is far less likely to succumb to a brute-force attack which was one of the initial inspirations for requiring password rotation. However, if we adopt long passphrases but don’t get out of the bad password re-use habit (i.e. using the same password for many sites and services) it will still present a risk. If one of the sites that uses your super long passphrase gets breached, you would have to go change all your passwords. Password rotation would mitigate that risk somewhat. A better control is just to have a different password for each site/service and use something like a password manager to keep track of them.”

Most security pros already say passwords should be long and complex, said Merritt Maxim, an identity and access management analyst at Forrester Research. He pointed as an example to Stanford University’s student and faculty guide (which manages to be simple and colourful. See it here.)  So for Maxim, NIST’s recommendation already follows password best practices.

However, he added, “deployments of this approach will be constrained for the user experience and resulting supporting costs.”

NIST hasn’t formally approved the recommendation yet and is still taking comments.

Any change to password length will depend on the ability of a login or application to accept longer strings. And long passphrases doesn’t negate the importance of two-factor authentication, which mitigates against stolen passwords.

Would you recommend this article?

0
0

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication. Click this link to send me a note →

Jim Love, Chief Content Officer, IT World Canada
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Related Tech News