In October, a Dutch security researcher claimed he was able to access President Trump’s Twitter account by guessing the password — “maga2020!” — after only six tries. Victor Gevers said that after he alerted U.S. cybersecurity officials, the password was changed, and two-factor authentication was added.
The alleged hack is just another reminder that traditional password practices are broken. For the fourth consecutive year, Verizon’s annual Data Breach Investigations Report finds that more than 80 percent of all confirmed data breaches can be traced to compromised user credentials.
To address the issue, the National Institute of Standards and Technology (NIST) has substantially revised password management guidelines that have been accepted as industry standards for years. Many of the changes are designed to eliminate cumbersome and complex processes that place an excessive burden on users.
In a recent special publication, the NIST reversed itself on several longstanding practices. Two of the more surprising changes eliminate requirements for complex passwords and frequent password resets. Years of research suggest that these two requirements were producing a range of unintended consequences because they fail to account for basic human behavior.
Conventional wisdom held that strong passwords featuring a random mix of special characters and upper- and lower-case letters were essential for thwarting brute-force attacks meant to guess the correct credentials. However, it turns out that users are actually quite predictable in the ways they compose such passwords. For example, people commonly substitute the number “3” for the letter “e” and the character “@” for the letter “a.” Or, as in the case of the president’s Twitter password, an exclamation point is simply added at the end of the password. Such modifications are easily guessed by password cracking software.
The NIST now recommends the use of long passphrases — simple sentences that should be easy for users to remember but difficult for hackers to guess. Sentences also naturally include upper- and lower-case letters and special characters such as spaces and punctuation. To support the use of passphrases, NIST guidelines now suggest password lengths of up to 64 characters.
Regular mandatory password resets were also considered a best practice. There was almost unanimous agreement within the industry that users should create new and unique passwords for every account every 60 or 90 days. However, that can quickly become an unmanageable requirement considering the number of personal and professional accounts that people use today. A 2019 study from LastPass found that the average small business employee has 85 unique passwords — more than most of us can easily remember. That number is likely greater now that more people are working from home, where they need even more passwords than usual to access an array of company resources, applications, websites and cloud services.
Now, the NIST suggests that passwords should only be reset in the event of an actual breach. The agency says frequent resets only encourage users to create simple passwords that are easy to remember — and easy to guess. Password overload also encourages password reuse across multiple accounts or services, which can expose organizations to credential stuffing attacks in which one compromised password is used to access a variety of other sensitive resources.
With most data breaches linked to compromised user credentials, it is clear that conventional password practices no longer provide sufficient security. Old policies requiring users to adopt increasingly complex passwords and change them frequently have not worked, and in many cases have led users to cut corners. Call us to learn more about using the NIST’s revised guidelines to strike a balance between security and ease of use.