Regulation and Compliance > Cybersecurity

Overly Complex Passwords Are Unnecessary, New Guidelines Say

Your article was successfully shared with the contacts you provided.

The National Institute of Standards and Technology released guidance in June updating its recommendation for passwords. Instead of recommending that users create long complicated passwords with upper- and lowercase letters, numbers and special characters, NIST is recommending simple — but still long — passwords that are easy to remember.

(Related: SEC Alert Details ‘Robust’ Cybersecurity Best Practices)

“Many attacks associated with the use of passwords are not affected by password complexity and length,” NIST wrote in an appendix to Special Publication 800-63B. “Keystroke logging, phishing and social engineering attacks are equally effective on lengthy, complex passwords as simple ones.”

It doesn’t matter how complex a password is if users hand them over unwittingly to hackers. Cisco’s 2017 Midyear Cybersecurity Report found $1.7 billion was stolen annually between October 2013 and December 2016 through social engineering schemes targeting businesses and workers.

NIST also recommended that organizations stop forcing users to change their passwords periodically, unless, of course, there’s evidence of a breach.

“Despite widespread frustration with the use of passwords from both a usability and security standpoint, they remain a very widely used form of authentication,” NIST wrote. “Humans, however, have only a limited ability to memorize complex, arbitrary secrets, so they often choose passwords that can be easily guessed.”

(Related: Your Biggest Cybersecurity Threat? Your Employees)

The recommendations are designed to be used by federal agencies, but may be adopted by nongovernmental agencies. In his executive order on cybersecurity in May, President Donald Trump required federal agencies to adhere to NIST’s Framework for Improving Critical Infrastructure Cybersecurity to draft their cyber-risk plans.

In the guidelines, NIST recommends that “memorized secrets” – that is, passwords – be at least eight characters, and that verifiers should allow users to create passwords as long as 64 characters. Randomly assigned numeric passwords may be as short as six characters.

Too-short passwords can be beaten by “brute force attacks,” according to NIST, attacks where hackers try as many combinations of letters and numbers as it takes to gain access.

NIST also recommended allowing Unicode and ASCII characters and spaces to be used to create passwords, though it pointed out that some Unicode characters “may be represented differently by some endpoints, which can affect [users’] ability to authenticate successfully.”

Some current password practices that aren’t being changed include refusing passwords that:

  • Are obtained from previous breach corpuses
  • Are dictionary words
  • Include repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’)
  • Context-specific words, such as the name of the service, the username and derivatives thereof

“Length and complexity requirements beyond those recommended here significantly increase the difficulty of memorized secrets and increase user frustration. As a result, users often work around these restrictions in a way that is counterproductive. Furthermore, other mitigations such as blacklists, secure hashed storage, and rate limiting are more effective at preventing modern brute-force attacks. Therefore, no additional complexity requirements are imposed,” NIST wrote.