Why Complex Passwords Are No Longer Useful

(KenkaV) The Use of Many Types of Characters in Passwords and Changing Them Often is Not the Best Way to Manage Passwords Anymore

Posted  279 Views updated 3 months ago

This information is based on new guidelines published by National Institute of Standards and Technology (NIST) in America. NIST is a place that makes and gives out guidelines to help organizations protect their information systems and improve cybersecurity.

(Photo: cafef.vn)

Image

For many years, experts and service providers have supported the use of complex passwords as part of password policies. They say these passwords should mix big and small letters, numbers, and special signs to increase password complexity. This complexity is thought to make password harder to guess or break through brute force attacks and password cracking attempts. However, making passwords more complex often leads to users developing bad habits. For example, they might use old passwords again or choose passwords that are too simple. These simple passwords usually don't meet the required standards, like "P@ssw0rd123".

Over time, NIST saw that focusing on complex passwords did not work well and actually made security weaker. In their newest guide, NIST changed from suggesting complex passwords to encouraging longer passwords as a password best practice. There are some reasons for this change in the NIST password guideline 2023: First, it's about how people behave. Studies show that users often have trouble remembering complex passwords. This makes them use the same password on many websites or follow easy-to-guess rules, like changing letters to numbers or symbols that look similar. This problem get worse when many organizations ask you to change your password every 60 to 90 days, but NIST no longer suggests doing this.

While complexity can add to entropy, length plays a much bigger role in password strength according to NIST password standards. A longer password with more characters has many more possible combinations. This makes it harder for attackers to guess, even if the characters themselves are simpler, and improves protection against password breaches and compromises. Also, long passwords are easier to remember, like passphrases with many simple words, which is a password management best practice.

For example, "big dog small rat fast cat purple hat jello bat" can be turned into a password by removing spaces: "bigdogsmallratfastcatpurplehatjellobat". This kind of password is both safe and easy for users to remember. A password like this balances high entropy and ease of use. It helps make sure users don't do unsafe things like writing down passwords or using them again, common password vulnerabilities.

Moreover, improvements in computer power have made it easier to break short, complex passwords through brute-force attacks and password cracking tools. However, even complicated methods find it hard to crack long passwords because there are too many possible combinations. For example, changing a phone password from 4 number to 6 numbers has increased the number of possible combinations from 10,000 to 1,000,000. In its new NIST password standards recommendation, NIST emphasizes allowing users to create passwords up to 64 characters long as the NIST recommended password length. A password that is 64 characters long and only uses lowercase letters and meaningful words is very hard to break. If you add capital letters and symbols, it becomes almost impossible to break the password in terms of math.

 

Source: Adapted from an article about [Kinh tế số] posted on [cafef.vn]. [https://cafef.vn/vi-sao-password-phuc-tap-da-het-thoi-188241004134031151.chn]

The NIST password guidelines also cover other password security best practices beyond just NIST password length and complexity recommendations:

  • NIST suggests against arbitrary password expiration and forced password changes, as they often lead to weaker passwords. The NIST password rotation and change frequency best practices are now to only require changes if there is evidence of compromise.
  • NIST recommends allowing at least 64 character passwords and support for spaces and all printable ASCII characters to enable passphrase usage.

  • NIST recommends against password hints and knowledge-based authentication as they are vulnerable to social engineering.

  • NIST suggests using a password manager to generate, store, and fill in complex passwords rather than having users create their own.

  • NIST recommends secure password storage through salting and hashing and transmission over encrypted connections.

  • NIST recommends checking new passwords against lists of commonly used or compromised passwords as part of password screening.

  • NIST recommends using multi-factor authentication in addition to passwords to protect accounts.

  • NIST provides guidelines on password reset procedures to prevent unauthorized access.

  • NIST recommends a maximum of 10 failed authentication attempts before an account lockout to prevent brute force attacks, as part of their account lockout policy.

NIST recommends a maximum of 10 failed authentication attempts before an account lockout to prevent brute force attacks, as part of their account lockout policy.

By following these NIST password recommendations and best practices, organizations can significantly improve their password security and authentication security overall. The NIST guidelines provide a framework for secure yet user-friendly password policies.

 

Keywords:

#nist guidelines for passwords, #complex passwords, #nist password policy, #nist recommended password length, #longer passwords, #password manager, #cybersecurity, #password hints, #password storage, #password entropy, #password vulnerabilities

Image

Your reaction?

0
LOL
0
LOVED
0
PURE
0
AW
0
FUNNY
0
BAD!
0
EEW
0
OMG!
0
ANGRY
0 Comments