How much do you know about passwords? You might believe password authentication is old hat, and that you already know the best practices for implementing passwords. After all, we’ve heard password hygiene messages for years, right?
But unless you’ve updated your knowledge recently, you might be in for surprises.
The National Institute of Standards and Technology released Special Publication 800-63B: Digital Identity Guidelines — the newest set of guidelines — in mid-2017. Contained within this lengthy government document are dramatic changes in the way the security community thinks about password security. Let’s take a look at a few prevailing opinions about password security and decide whether they are fact or fallacy under this revised guidance.
MORE FROM EDTECH: Check out these three ways universities can keep their data safe.
Fallacy: Users Should Be Forced to Change Passwords Regularly
“Change your password every 180 days (or sooner).”
That’s the mantra security teams have preached for decades. Most colleges implemented password expiration policies that forced students, faculty and staff to change their passwords on a scheduled basis. Those prompts were the bane of end users, who needed to memorize new passwords, and support teams, who had to field complaints about the policy and help users who forgot their new passwords.
This guidance is now old news. NIST’s current recommendation is that organizations should no longer require users to change passwords. The thinking is that this encourages other bad practices, such as writing down passwords or reusing passwords across security domains. Institutions should only force a change when they have reason to believe a user’s password has been compromised.
Fact: Multifactor Authentication Reduces Password Risks
Multifactor authentication techniques dramatically enhance the security of the login process by requiring that users not only memorize passwords, but also prove that they have possession of a physical item (such as an authentication token) or submit to biometric scanning (such as fingerprint recognition).
MFA goes hand in hand with removing password change requirements, since it reduces the usefulness of a stolen password. An attacker who gains access to a user’s password won’t be able to successfully impersonate that user without also defeating the secondary authentication technique. Stealing a smartphone from a user’s pocket is much more aggressive than phishing a password.
Colleges that have not already deployed MFA across all their sensitive systems should do so immediately. The prevalence of password-based attacks against institutions of higher education requires urgent action. For evidence, look no further than the cyberattacks that hit the admissions systems of three liberal arts colleges in March 2019. Those attacks could have been easily prevented by the use of MFA technology.
Fallacy: Organizations Should Require Complex Passwords
In addition to requiring users to change their passwords, institutions have traditionally required users to follow strict password complexity requirements. Typically, these required both uppercase and lowercase letters in conjunction with a digit and/or symbol.
The percentage of internet users who reuse passwords on multiple websites
Source: Cyclonis, “Password Security Report: 83% of Users Surveyed Use the Same Password for Multiple Sites,” July 13, 2018
This policy had the good intention of increasing the number of possible passwords. Yet it also had the unintended side effect of prompting users to simply cycle through a series of passwords that met the letter but not the spirit of the policy. Most campus cybersecurity professionals would probably not be shocked to learn that senior administrators were defeating password complexity and change requirements with passwords such as “MikeFall2018!” and “MikeSpring2019!” Passwords like these hit the prerequisites of password complexity, but they were also quite predictable.
NIST’s current guidance is that institutions set a minimum password length of eight characters but adopt no other complexity requirements. NIST also recommends that institutions avoid any actions that might inhibit the use of strong passwords. For example, colleges should ensure that their systems permit the use of passwords up to 64 characters in length and the use of all printable ASCII characters, as well as spaces.
MORE FROM EDTECH: See what universities are learning after implementing new information security programs.
Fact: Screening Against Compromised Passwords Is Good Security
While schools should not impose strict complexity requirements on user passwords, they absolutely should ensure that users don’t use passwords that are commonly used in password spray attacks. In these attacks, the adversary uses a list of common passwords and cycles through them, hoping to stumble upon an active username and password combination.
NIST recommends that organizations prevent users from selecting a password that:
- Has appeared in password dumps from previous breaches at other organizations
- Consists entirely of dictionary words or minor variations on dictionary words (such as replacing the letter O with the numeral 0)
- Contains repetitive sequences of characters, such as abcdefg or aaaa1111
- Contains contextual information, such as the name of the college, service or user account
Screening passwords against these lists may introduce a little user frustration, but it’s common sense. After all, if a password is already in the public domain, there’s nothing preventing an attacker from discovering it.
These password security guidelines mark a turning point in the world of user authentication. They challenge conventional wisdom and question long-standing cybersecurity practices. Colleges and universities seeking to modernize their cybersecurity programs should consider adopting these practices now.