Password Policy Evolution
Passwords continue to be the foundation of the security profile and will continue to be so for some time to come. Yet password breaches are becoming more and more common despite the layers of firewalls, honey-pots, and detection solutions which get deployed. Adding more complexity to passwords frustrates users, and encourages them to choose the same, or similar, passwords on different websites as well as corporate systems. This means a breach on the web can have immediate and serious consequences for security in the enterprise. The legacy password policy needs to change to keep up with modern threats, which is why NIST published new guidelines for a more appropriate password policy.
What Are The New Guidelines?
Legacy password rules enforced regular passwords changes, with rules regarding length, password age, and complexity requirements such as mixtures of upper case and lower case characters, use of special characters etc. These restrictions make passwords hard to remember leading to increased help desk calls (up to 40%) and result in loss of productivity.
Fortunately, the new Digital identity Guidelines published in 2017 by NIST’s Applied Security Division provide a framework to replace outdated password practices. Included in these guidelines is Special Publication 800-63B which specifically makes the following recommendations:
- No more enforced composition rules
- No more periodic password expiration
- No more hints
- Minimum length of 8 characters
- No or large maximum length
- Expanded character set, including emoji
- Check against a dictionary of unacceptable and compromised passwords
Without password expiration, short length limits and comprehensive local and online password blacklist checking, users are free to choose longer, more natural passwords composed of multiple words. These passwords are far harder to reverse engineer or brute force.
Users are more inclined to remember a long, natural password that doesn’t expire, and less likely to mistype one without mixed case letters or special characters. That leads to fewer help desk calls, with cost savings and increased productivity.
Users have become frustrated with current complex password requirements. Allowing them to enter a natural, memorable phrase as a password reduces friction when choosing a password, and every time they use the password to log in.
How Our Technology Can Help
The Authlogics Password Breach Database is a key component when looking to meet the new password policy guidelines. It provides a comprehensive and well maintained dictionary of unacceptable and compromised passwords in the cloud for real-time lookups.
If you have Active Directory simply deploy the Authlogics Password Policy Agent onto your Domain Controller(s) to immediately and seamlessly comply with all of the NIST SP 800-63B guidelines out-of-box. It is powered by the Authlogics Password Breach Database to ensure that any password change, as well as common variants determined by our heuristic engine, are checked in real-time. There is no need to install extra software on workstations and all password change attempts are logged centrally for auditing and reporting purposes.