MFA goes hand in hand with removing password change requirements because it reduces the usefulness of a stolen password. An attacker who gains access to a user’s password won’t be able to successfully impersonate that user without also defeating the secondary authentication technique.
Schools that have not already deployed MFA across all their sensitive systems should consider doing so now. While it may not be necessary to protect student accounts with MFA, it is entirely reasonable and appropriate to do so for faculty and staff. Last year, a high school student in Concord, Calif., launched a phishing attack against his teachers and successfully stole their passwords, using them to change his grades. Attacks like this are easily prevented through the use of MFA.
Fallacy: Organizations Should Impose Complexity Requirements
In addition to requiring users to change their passwords, schools have traditionally required users to follow strict password complexity requirements. Typically, these require both upper case and lower case letters in conjunction with a numeral and/or symbol.
This policy has the good intention of increasing the number of possible passwords. Yet it also has the unintended side effect of prompting users to simply cycle through a series of passwords that meet the letter but not the spirit of the policy. Most K–12 IT professionals would probably not be shocked to learn that teachers and principals were defeating password complexity and change requirements with passwords such as “MikeFall2018!” and “MikeSpring2019!” Passwords like these hit the prerequisites of password complexity, but they are also quite predictable.
NIST’s current guidance is that schools and other organizations set a minimum password length of eight characters but adopt no other complexity requirements. NIST also recommends organizations avoid any actions that might inhibit the use of strong passwords. For example, schools should ensure their systems permit the use of passwords up to 64 characters in length and the use of all printable ASCII characters, as well as spaces.
Fact: Screening Against Compromised Passwords Is Good Security
While schools should not impose strict complexity requirements on users’ passwords, they absolutely should ensure users don’t employ passwords that are commonly used in password spray attacks. In these attacks, the adversary uses a list of common passwords and cycles through them, hoping to stumble upon an active username and password combination.
NIST recommends that organizations prevent users from selecting a password that:
- Has appeared in password dumps from previous breaches at other organizations
- Consists entirely of dictionary words or minor variations on dictionary words (such as replacing the letter O with the numeral 0)
- Contains repetitive sequences of characters, such as “abcdefg” or “aaaa1111”
- Contains contextual information, such as the name of the college, service or user account
Screening passwords against these lists may introduce a little user frustration, but it’s common sense. After all, if a password is already in the public domain, there’s nothing preventing an attacker from discovering it.
These password security guidelines mark a turning point in the world of user authentication. They challenge conventional wisdom and question long-standing cybersecurity practices. Schools seeking to modernize their cybersecurity programs should consider adopting these practices now.