Time to change your password strategy?
The National Institute of Standards and Technology (NIST) has issued a new draft of its Digital Identity Guidelines, and suggests a shift in password strategy from periodic changes to use of a long “memorized secret,”. The shift is within a section covering authentication and lifecycle in a proposed draft of the Digital Identity Guidelines, Special Publication 800-63-3.
It suggests that to avoid complexity, rather than require users to reset their passwords on a periodic basis, the updated best practice now advocates that security administrators instead urge use of what it refers to as memorized secrets. These would encompass strings at least 64 characters, or longer, and be sentences or phrases that users could easily memorize.
The secret could contain words, spaces or any other characters the user prefers.
The move by NIST has long been advocated by a IT industry professionals. The password strategy is outlined in section 10.2.1 of NIST’s proposed guidelines says:
When users create and change memorized secrets:
- Clearly communicate information on how to create and change memorized secrets.
- Clearly communicate memorized secret requirements.
- Allow at least 64 characters in length to support the use of passphrases.
Encourage users to make memorized secrets as lengthy as they want, using any characters they like (including spaces), thus aiding memorization.
- Do not impose other composition rules (e.g., mixtures of different character types) on memorized secrets.
- Do not require that memorized secrets be changed arbitrarily (e.g., periodically) unless there is a user request or evidence of authenticator compromise.
- Provide clear, meaningful and actionable feedback when chosen passwords are rejected (e.g., when it appears on a “black list” of unacceptable passwords or has been used previously).
- Advise users that they need to select a different secret because their previous choice was commonly used.
IT Managers and Chief Technology Officers could view these guidelines as good news, or as a potential headache. Feel free to comment on how you think this will impact your organization if it was ever made mandatory.