New normal: Today's best practices for passwords

By Richard Harpur

Password best practices are well-known, but are they really best? Over the past few decades, most companies have implemented what they consider to be fundamental password criteria. These generally include:   

  • Ensuring complex passwords composed of numeric, alphabetic (uppercase and lowercase) characters in addition to special symbols and similar characters
  • Forcing users to change passwords regularly 
  • Requiring new passwords not previously used by the user

These guidelines are so widely accepted that we see requirements like those in the Payment Card Industry Data Security Standard (PCI DSS) specify passwords should be changed every 90 days. 

But as with all mature technology policies, it’s important to stand back from time to time and evaluate if said policy makes sense in a changing environment. This is exactly what the National Institute for Standards and Technology (NIST) has done for password guidelines. 

We’re due to unlearn some of the best practices we have become accustomed to for decades and apply a new normal to password management practices. 

NIST recently published a revised set of Digital Identity guidelines. Within these guidelines, the institute outlines what it considers good practice for passwords today. We won’t cover all four volumes of the NIST publication, but I strongly recommend you review the additional guidelines linked at the bottom of this post.

Let’s have a look as some of the commonly implemented password security practices, and compare with the NIST’s updated recommendations. 


Complex isn’t necessarily strong

It seems like forever that we’ve been forced to pick passwords which contain a variation of numeric characters, upper and lowercase letters and special characters to make a password complex. However, NIST has stated this doesn’t lead to stronger passwords, and the practice should be replaced by more dynamic support for password selection. 

NIST recommends that organizations support users in selecting better passwords by checking chosen passwords against known leaked breach data and known weak passwords.

It’s difficult to argue that this exercise is impossible to implement with the abundance of breached data available on the Internet. The availability of tools such as HashCat and similar password testing tools makes a quality check for password selection fairly easy. 

We can see now that some vendors are making this advice even easier to implement by integration such functionality into their products. Microsoft, for instance, has added a "Risky Login" flag for users who login to their Azure Active Directory using leaked credentials.


The longer the better, and permit cut & paste

We’ve all come across examples where your password could be no longer that 8 or 10 characters in length. This can be seen in some of the larger organizations globally, no doubt because of restrictions with legacy systems. 

NIST is clear in its recommendations for password length. It suggests that passwords of at least 64 characters should be allowed. Furthermore, the use of password managers should be encouraged and supported by ensuring users can paste into password data entry fields. Bizarrely, some sites currently prevent users from pasting their passwords into form fields, thereby breaking the automated use of password managers. 


Password hints are passé

A popular trend to recover forgotten passwords is allowing users to reset passwords if they successfully answer a hint question like the make of their first car or their favorite teacher. 

The quality of hint questions can often leave a lot to be desired. Poor levels of entropy combined with all the personal data now shared on social media weakens the use of password hints. NIST advises us to stop using hint questions as a means to help users recover account access.


Regular changes no more

Finally, NIST has deprecated the widely-adopted practice of regularly changing your password in case hackers have information without your knowledge.  

The argument against this practice lies with the human trait to select a password sequence or pattern to ease the workload of remembering passwords. So what a user tends to do is add a number or other incremental character at the end of their current password and increment it each time they are forced to change their password. This makes for a weak password and NIST is no longer recommending this practice.  

In review: What can you do to improve your organization’s password approach?

Perform password testing

If you can’t perform in-line password checks as users generate or change their passwords, then be sure to provide very regular password strength checking. Run tools such as Hashcat and identify weak passwords and for users the change all weak passwords. Look for new functionality in your user account management system as some vendors are stating to integrate this functionality.

Stop forcing the regular changing of passwords 

Changing passwords should be undertaken when a user suspects their password is no longer a secret. In normal course of events, passwords should no longer be regularly changed. 

Update your systems to support new best practices 

Ensure your systems support 64 character passwords, and allows pasting into form fields for passwords (and usernames). Drop forced composition rules in favor of longer passwords.

NIST links

SP 800-63 Digital Identity Guidelines 

SP 800-63A Enrollment and Identity Proofing 

SP 800-63B Authentication and Lifecycle Management 

SP 800-63C Federation and Assertions 

About the author

Richard Harpur is a highly experienced technology leader with a remarkable career ranging from software development, project management through to C-level roles as CEO, CIO, and CISO. Richard is highly rated and ranked in Ireland's top 100 CIOs. As an author for Pluralsight - a leader in online training for technology professionals - Richard's courses are highly-rated in the Pluralsight library and focus on teaching critical skills in cybersecurity including ISO27001 and Ransomware. As a Certified Information Security Manager (CISM) Richard is ideally positioned and passionate about sharing his extensive knowledge and experience to empower others to be successful. Richard also writes extensively on technology and security leadership and regularly speaks at conferences. When he is not writing for his blog Richard enjoys hiking with his wife and 4 children in County Kerry, the tourist capital of Ireland. You can reach Richard on twitter @rharpur.