Security

Fact or Fallacy: Stay Up to Date on the Best Practices for Password Security

Experts no longer recommend automatic password changes that may lead to poor security habits.

Mike Chapple is associate teaching professor of IT, analytics and operations at the University of Notre Dame.

How much do you know about passwords? You might believe password authentication is old hat, and that you already know the best practices for implementing them. After all, we’ve heard password hygiene messages for years, right?

But unless you’ve updated your knowledge recently, you might be in for a few surprises.

The National Institute of Standards and Technology released Special Publication 800-63B: Digital Identity Guidelines — the newest set of guidelines — in mid-2017. Contained within this lengthy government document are dramatic changes in the way the security community thinks about passwords. Take a look at a few prevailing opinions about password security and see whether they are fact or fallacy under this revised guidance.

Fallacy: Users Should Be Forced to Change Passwords Regularly

“Change your password every 180 days (or sooner).”

That’s the mantra security teams have preached for decades. Most K–12 systems have policies that allow students to retain their passwords indefinitely but require faculty and staff to change their passwords periodically. Those prompts are the bane of teachers and administrators alike, who must memorize new passwords, and IT staff, who have to field complaints about the policy and help users who forget their new passwords.

This guidance is now old news. NIST’s current recommendation is that organizations should no longer require users to change passwords. The thinking is that this encourages other bad practices, such as writing down passwords or reusing passwords across security domains. Schools should only force a change when they have reason to believe a user’s password has been compromised.

Fact: Multifactor Authentication Reduces Password Risks

Multifactor authentication techniques dramatically enhance the security of the login process by requiring that users not only memorize passwords, but also prove that they have possession of a physical item (such as an authentication token) or submit to biometric scanning (such as fingerprint recognition).

83%

The percentage of internet users who reuse passwords on multiple websites

Source: cyclonis.com, “Password Security Report: 83% of Users Surveyed Use the Same Password for Multiple Sites,” July 13, 2018

MFA goes hand in hand with removing password change requirements because it reduces the usefulness of a stolen password. An attacker who gains access to a user’s password won’t be able to successfully impersonate that user without also defeating the secondary authentication technique.

Schools that have not already deployed MFA across all their sensitive systems should consider doing so now. While it may not be necessary to protect student accounts with MFA, it is entirely reasonable and appropriate to do so for faculty and staff. Last year, a high school student in Concord, Calif., launched a phishing attack against his teachers and successfully stole their passwords, using them to change his grades. Attacks like this are easily prevented through the use of MFA.

Fallacy: Organizations Should Impose Complexity Requirements

In addition to requiring users to change their passwords, schools have traditionally required users to follow strict password complexity requirements. Typically, these require both upper case and lower case letters in conjunction with a numeral and/or symbol.

This policy has the good intention of increasing the number of possible passwords. Yet it also has the unintended side effect of prompting users to simply cycle through a series of passwords that meet the letter but not the spirit of the policy. Most K–12 IT professionals would probably not be shocked to learn that teachers and principals were defeating password complexity and change requirements with passwords such as “MikeFall2018!” and “MikeSpring2019!” Passwords like these hit the prerequisites of password complexity, but they are also quite predictable.

NIST’s current guidance is that schools and other organizations set a minimum password length of eight characters but adopt no other complexity requirements. NIST also recommends organizations avoid any actions that might inhibit the use of strong passwords. For example, schools should ensure their systems permit the use of passwords up to 64 characters in length and the use of all printable ASCII characters, as well as spaces.

Fact: Screening Against Compromised Passwords Is Good Security

While schools should not impose strict complexity requirements on users’ passwords, they absolutely should ensure users don’t employ passwords that are commonly used in password spray attacks. In these attacks, the adversary uses a list of common passwords and cycles through them, hoping to stumble upon an active username and password combination.

NIST recommends that organizations prevent users from selecting a password that:

Has appeared in password dumps from previous breaches at other organizations
Consists entirely of dictionary words or minor variations on dictionary words (such as replacing the letter O with the numeral 0)
Contains repetitive sequences of characters, such as “abcdefg” or “aaaa1111”
Contains contextual information, such as the name of the college, service or user account

Screening passwords against these lists may introduce a little user frustration, but it’s common sense. After all, if a password is already in the public domain, there’s nothing preventing an attacker from discovering it.

These password security guidelines mark a turning point in the world of user authentication. They challenge conventional wisdom and question long-standing cybersecurity practices. Schools seeking to modernize their cybersecurity programs should consider adopting these practices now.

Urupong/Getty Images