I rarely go to a conference where I don’t hear someone doling out “good” password policy advice. You know, the password policy includes:
- Eight to 12 characters long as a minimum; extremely long passphrases are better
- Must be complex and include at least three different character sets (e.g., uppercase characters, lowercase characters, numbers, or symbols)
- Change every 90 days or fewer
- Enable account lockouts for bad passwords, five bad attempts or fewer
Except that it’s wrong. It’s old advice. It was never “good” password policy. Looking at the data, people and companies that follow this advice are likely increasing their computer security risk, not lessening it. Unfortunately, the desire to stay in compliance with outdated regulatory requirements means that most companies and individuals will be compelled to follow this old, outdated and wrong advice for years to come. It’s a sad state of affairs.
What is today’s good password policy advice?
Starting a decade ago or so, a few computer security scientists decided to look at the data to see if the traditional password security advice that had been recommended for decades was actually effective. One of my favorite computer security scientists is Microsoft Principal Researcher Dr. Cormac Herley. He has probably written more about how bad the old password policy advice is than anyone. He’s not a fan of much of today’s long-held, but untested computer security advice. As he said in my 2017 book, Hacking the Hacker:
You might have a model of how you think 2 billion users will behave, but 2 billion users will respond the way they are going to respond regardless of your model. You can hope that it happens the same way, but you have to measure what happens to see if there is any resemblance to what you said would happened in your model. And if your model is wrong, change it.
Dr. Herley, looked at the data, and tested how well the traditional advice stacked up in today’s hacker world. His conclusion, along with many others, was that the traditional advice was bad advice, and they used data and how today’s hackers hack to come up with better password policy advice. The culmination of these password experts' work was updated password policy guidance from the National Institute of Standards and Technology (NIST). NIST sets the computer security standards for the U.S. government and military computers, and by doing so, set the standards for most of the world’s computers.
NIST issued its updated password policy advice in the form of “Digital Identity Guidelines”, the most important of which is NIST Special Publication 800-63-3, released in final form in June 2017. In the related guideline documents, NIST essentially says that you should be using multifactor authentication (MFA) instead of passwords, but if you’re going to be using single-factor authentication passwords, here are the new, better recommendations:
- Enable two-factor authentication (2FA) where you can. Passwords are great, but 2FA is better.
- A password should be eight characters or longer, but it doesn’t have to be super long.
- Character complexity is no longer a requirement, but does not hurt.
- Should not contain common or easy-to-guess passwords (like your name or password123).
- There is no need to change your password unless you think it’s been compromised.
- Never re-use the same password on other sites.
- Developers, consider using dynamic authentication, where changes in user behavior, location, or devices initiates additional authentication checks.
That’s it. That’s the new advice! It’s revolutionary in most circles. Passwords don’t have to be long or complex, and almost never to be changed. This goes against what we’ve all been taught for a long time. Again, I still hear the old advice at computer security conferences. I hear it from people on panels sitting beside me. I want to correct everyone, publicly, but that's hard to do without insulting your friends, co-workers, and leaders. It’s not their fault. They just don’t know.
Lately, I’ve taken to speaking up about it. I try to do it as politely as I can, trying not to shame the other person for not knowing. Although you would be surprised by how many people actually know about newer password policy guidelines, but simply cannot believe them and keep repeating the older advice. Habits can be hard to break.
Is compliance hurting us?
Worse yet, even though the new password policy guidelines have been the “rule of the land” for a year now, I don’t know of a single legislatively required regulatory guideline (e.g., HIPAA, SOX, or PCI-DSS) that doesn’t still require the old password policies. I don’t know of a single auditing regime or program that doesn’t require, often by law, the older, worse, password guidelines.
Administrators and users are stuck in a hard place. Follow the old policies and your company is more at risk for successful malicious hacking. Follow the new advice and fail an audit, and have everyone in your company above you yell at you.
I want to tell you to talk to your auditors and management and send them NIST’s newer password guidelines, but the truth is that they aren’t really going to care. All they are going to care about is whether you help get a “check mark” of success on a compliance audit. If you try to implement the new password policies, you are likely to be going it alone, against a hurricane of criticism and complaints. If you cause an audit exception or lack of compliance finding, you could be disciplined or fired. The best or the smartest among us basically have to accept that they will be knowing, but silent.
When will regulations change?
If you want to do something, write the bodies in charge of the legal regulations that control your industry. Educate them and ask them when they plan to update their required guidelines. Do the same to your internal and external auditing teams, and to IT management. Now is the time — it’s been a year — to start asking for the outdated password policy guidelines to be updated.
All auditing and regulatory bodies need to ask themselves if they are responsive enough to cybersecurity guidelines changes. Do they have policies and procedures, easy to find and follow, for members to initiate changes? Hackers and malware can change in seconds. How long do we have to wait until our controlling regulations and laws get updated after we find better advice?
If we don’t make our audit and regulatory bodies more responsive, aren’t we always going to have compliance eroding our security in one way or another?
This is a call to arms. Go fight the good fight!