NIST has spoken, and we could not be more excited. For years the security community has inflicted one of the most painful behaviors to date, the dreaded complex password. We have watched many times in horror as security researchers made fun of ordinary computer users for using simple passwords, often calling out hacked databases of passwords and bemoaning what is wrong with the world. In reality, these very same people should have taken the time to look in the mirror and see what they were inflicting on others.
Strong passwords are so simple! All you need is 12 characters, one upper case character, one lower case character, one number, one symbol and nothing known about you. Then change all your passwords every ninety days. Oh, did we mention that you must have a unique, complex password for every account and never, never write it down. How could it be any simpler?
For years people and organizations like Per Thorsheim and his Passwords Con, Dr. Cormac Herley, Dr. Angela Sasse and the UK National Cyber Security Center have fought against this. Finally these painful behaviors have been put to rest by NIST in their official publication SP800-63-3 Digital Identity Guidelines. While a rather large series of documents, they cover passwords in sections 126.96.36.199, 188.8.131.52 and Appendix A. Long story short, NIST states.
- Complexity is dead, focus on password length. Stop inflicting painful complexity requirements, instead long live the passphrase.
- Time for password expiration to die. Only change passwords if you are concerned they may have been compromised
- Systems should support the use of password managers.
This may not sound at first like a big deal, but these changes are huge. We are bringing common sense into the word. Instead of trying to focus on what is the academically PERFECT password, we are taking the human element into consideration. Far too often security fails because we forget people are involved. Complex passwords are not only confusing to remember, but time consuming and painful to manually type in. In fact, Wall Street Journal published a fascinating article on the background behind NIST's original thinking and how the original authors now feel just how bad password complexity is. It is even more painful when you require people to change these complex passwords regularly. The biggest resistors to these changes will most likely be the highly technical security community who repeatedly forget that people are a part of any organization's security and specific regulations or standards that still require password complexity and/or regular changing of passwords such as NERC CIP-007-6 R5.
Finally, if you are a customer of SANS Security Awareness, your content is already current with NIST guidelines, we have been promoting these key behaviors for over a year now. As we work with the SANS senior instructors and top security experts, with SANS you are getting the best content in the world.