There were some lively conversations at our annual conference regarding password security and rules. The National Institute of Standards and Technology (NIST) recently released a new framework for improving critical infrastructure cybersecurity. Password complexity has been addressed. NIST recommends that all complexity requirements be removed because they create a false sense of security. By creating complex password rules, it makes passwords harder to remember. It appears to be a waste of time to try to make users comply.
Hmmm… Well MOREnet’s Cyber Security Operations Team (MCSOT) has a bit of a different slant on all of that, mainly due to the organizations that we support. You can read the full NIST Digital Identity Guideline, but let’s break out some of the key components of the recommendations and arguments.
- NIST recommends removing all complexity rules, citing that most users will just add a ‘1’ or ‘!’ to the beginning or end of their password.
- MCSOT recommends complexity by using a combination of upper and lower case letters, numbers and special characters.
- NIST no longer recommends password resets. This causes the user to actually have less secure passwords.
- MCSOT agrees that this can cause insecure passwords by simply moving a letter around, adding a number or character, etc. These are common practices noticed by attackers who may already have the user’s password therefore easy to crack. Group policies can be implemented to help control this weakness.
- NIST recommends password length minimum set to eight characters.
- MCSOT recommends at least a 15 character minimum.
- NIST guidelines suggest that an easier and more convenient approach to password security will actually allow people to take precautions.
- MCSOT recommends a continuous security education program in order to instill an awareness in the end user and further protect themselves and the organization.
- NIST does not recommend password hints for authentication.
- MCSOT agrees. The answers are easily discovered. Two factor authentication, which requires a code or biometrics, is desirable.
In summary, MOREnet Cyber Security Operations Team will recommend that passwords should be replaced by PASSPHRASES. Longer is stronger. Include complexity components, and, if possible, implement two factor authentication. Block the ability for users to use common passwords. Keep in mind the access that the users will have. The more valuable the information (personally identifiable information, health records or financial information) the more targeted that user may be.
You can read more in these articles: