NIST Wants to Get Rid of Periodic Password Changes

New guidelines from the National Institute of Standards and Technology, expected to be released this summer, suggest  periodic password changes are no longer necessary. The report also recommends changes to several other password policies that have become antiquated in the modern computing environment:

• Allow at least 64 characters in length to support the use of passphrases.
• Encourage users to make memorized secrets as lengthy as they want, using any characters they like (including spaces), thus aiding memorization.
• Do not impose other composition rules (e.g. mixtures of different character types) on memorized secrets.

These requirements will bring standards closer to what security experts currently recommend, and what this often-cited XKCD comic illustrates:

You probably have a password like Tr0ub4dor&3 on at least one of your online accounts, but that password is easy for computers to guess and difficult for you to remember. By allowing long passwords, spaces and not requiring special characters, the new NIST standards would push for passwords more like correct horse battery staple, which are difficult for computers to guess, and easy for humans to remember.

NIST is also recommending checking new passwords against several lists, such as:

• Context specific words, such as the name of the service, the username and derivatives thereof.
• Repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’).
• Passwords obtained from previous breach corpuses.

This kind of check could be a particularly effective defense. When hackers procure databases full of usernames and encrypted passwords, they can break the encryption by checking the passwords against a “rainbow table.” A rainbow table is an enormous database that includes encrypted, or “hashed,” versions of many passwords that are common or were turned up in previous breaches, along with the password itself in plain text. Hackers can simply check the encrypted passwords in their stolen database against those in their rainbow table, and pull out the passwords of every match in plain text.

By checking new passwords against the same kind of lists up front, while also allowing long passwords with spaces, an organization could significantly cut down the success rate of hackers who steal encrypted passwords. And once users have a strong password they can remember, periodic changes can do more harm than good. That’s because people tend to eventually start using very simple passwords when forced to constantly change them.

NIST just finished taking comments on its guidelines from the public, which it’s now publicly reviewing on GitHub. The new standards will initially apply only to government agencies and contractors, but many organizations in the private sector tend to follow the agency’s lead on security standards. With any luck, you too may soon stop seeing that annoying password-change pop-up on your work computer.