Strong passwords serve as a security wall between your valuable data and people who wish to do your organization harm. Those who work for companies where policy dictates that they be changed regularly — three to six month intervals between changes are customary — understand the onerous requirements that can come with frequent password changes and the complications they can cause. Additionally, rules that involve complex passwords rife with numbers, random capitalization and special characters can lead to passwords that are anything but memorable.
Due to security culture, these practices have long been considered necessary to the health and security of a business. However, a new report from NIST says that these measures may not be necessary when the right mitigating factors are in place. They no longer recommend periodic forced password changes. Additionally, they also do not recommend mandatory complexities when asking users to choose a password to replace the old one.
Who Is NIST and Why Do They Set the Standard?
If you are in IT, you already know the answer to this question and can skip to the next section. If you aren’t, some familiarity with this organization and their role can give you more of an idea why they publish guidelines and why their guidelines are the industry standard.
The National Institute of Standards and Technology (NIST) was founded over 100 years ago to give a competitive edge to American industry. At the time of its creation, an insufficient measurement infrastructure was threatening the quality of U.S. inventions and allowing us to fall behind economic rivals such as Germany and the UK. NIST was established by Congress and is now part of the U.S. Department of Commerce.
Technology is the backbone of products that range from basics like computer chips to novel creations like self-driving cars. These technologies must be 100% reliable to ensure safety and performance.
NIST measurements and recommendations provide a framework to ensure quality and consistency. They are tested and periodically revised as new information becomes available so that we are always working with the best possible best practices.
Why IT Departments Require Regular Password Changes
Regular password changes have been standard practice for a lot of reasons that are linked to good, strong security.
While employees are always instructed never to share their passwords with other people, we need to balance that edict with the fact that employees are human. A manager may surreptitiously share a password to give a team member quick access to a file while the manager is out of the office. An administrative assistant may have a hard time managing the many passwords she is obligated to remember and may keep a physical or virtual list of them in a place that isn’t secure enough. In industries with high turnover, passwords besides an employee’s own may periodically leave with them when they go.
Sometimes workers are unaware of risks to their organization and share information without realizing they’ve created a vulnerability. According to a report from NUIX, fully 84% of cyber attacks employ social engineering as part of their attack strategy. Getting access to a password is often part of that.
Frequent password changes mean that existing vulnerabilities are sealed as a matter of regular habit. As part of the process, IT will regularly review account permission and make sure that only currently authorized users have access. However, the constant necessity to remember new and complex passwords can, paradoxically, introduce behaviors that make your organization less secure.
Reasons That They Can Cause More Harm Than Good
The more often users need to change passwords, the more likely they are to resort to bad passwords. They may choose simpler ones just so that they can remember them. They may use the same passwords for multiple accounts; when this happens, you aren’t just exposed to your own organization’s vulnerabilities, but the vulnerabilities of every place the employee uses the password in question.
Users who are forced to use highly complex passwords and change them often are far more likely to use unauthorized workarounds like the password list mentioned above, a master password keeper in software form or even a sticky note pasted in plain sight. This is part of the reason that an audit of your password setting and management practices is an integral part of penetration testing.
Frequent password changes also put additional pressure on the IT department in a number of ways. Those periodic reviews take time that could be better used. Workers in your department are likely to spend a lot of time helping users get into accounts because the worker has lost or forgotten a current password.
Security Changes to Find a Balance
NIST is not suggesting that organizations simply abandon their password change practices. They recommend that this practice go hand in hand with a range of mitigating activities that can make your organization’s security stronger, often providing more protection than frequent password changes alone.
A few of the recommendations:
- Establish and formalize Authenticator Assurance Levels (AALs).
These are practices that spell out what authenticators are used and what events will trigger the end of a lifecycle for an authenticator, such as password loss or theft. It also suggests parameters for different AAL levels. More vital data is stored at higher AAL levels to balance security and ease.
- Educate employees about risks.
Teach them about social engineering techniques and situational awareness to ensure that there is less risk of passwords getting into the hands of people who want to do harm. Establish rules against practices like clicking links in email messages or clicking a URL that contains an unexpected hostname.
- Use authenticators with high entropy output.
If the system locks up after a handful of tries, the threat is over as soon as someone engaged in a practice like online guessing has tried to penetrate it.
- Let users choose their own passwords and expand password length.
This can allow them to choose something that is long (which adds strength) and also intuitive to them (which makes it easier to remember). The science and technology comic XKCD once recommended long strings of random words that can be easy to remember but hard to crack. Passphrases in place of passwords can also be effective.
The full list contains a range of practices that can help keep your organization far safer without sacrificing productivity or the sanity of your most vital team members.
We work with organizations like yours to find unexpected holes in your security and help find ways to combat them. Call us at 215-675-1400 or request a quote to speak with a consultant. We’ll work with you to help you identify the balance that is the right fit for your organization.
