This policy had the good intention of increasing the number of possible passwords. Yet it also had the unintended side effect of prompting users to simply cycle through a series of passwords that met the letter but not the spirit of the policy. Most campus cybersecurity professionals would probably not be shocked to learn that senior administrators were defeating password complexity and change requirements with passwords such as “MikeFall2018!” and “MikeSpring2019!” Passwords like these hit the prerequisites of password complexity, but they were also quite predictable.
NIST’s current guidance is that institutions set a minimum password length of eight characters but adopt no other complexity requirements. NIST also recommends that institutions avoid any actions that might inhibit the use of strong passwords. For example, colleges should ensure that their systems permit the use of passwords up to 64 characters in length and the use of all printable ASCII characters, as well as spaces.
Fact: Screening Against Compromised Passwords Is Good Security
While schools should not impose strict complexity requirements on user passwords, they absolutely should ensure that users don’t use passwords that are commonly used in password spray attacks. In these attacks, the adversary uses a list of common passwords and cycles through them, hoping to stumble upon an active username and password combination.
NIST recommends that organizations prevent users from selecting a password that:
- Has appeared in password dumps from previous breaches at other organizations
- Consists entirely of dictionary words or minor variations on dictionary words (such as replacing the letter O with the numeral 0)
- Contains repetitive sequences of characters, such as abcdefg or aaaa1111
- Contains contextual information, such as the name of the college, service or user account
Screening passwords against these lists may introduce a little user frustration, but it’s common sense. After all, if a password is already in the public domain, there’s nothing preventing an attacker from discovering it.
These password security guidelines mark a turning point in the world of user authentication. They challenge conventional wisdom and question long-standing cybersecurity practices. Colleges and universities seeking to modernize their cybersecurity programs should consider adopting these practices now.