The National Institute of Standards and Technology released guidance in June updating its recommendation for passwords. Instead of recommending that users create long complicated passwords with upper- and lowercase letters, numbers and special characters, NIST is recommending simple — but still long — passwords that are easy to remember.
(Related: SEC Alert Details ‘Robust’ Cybersecurity Best Practices)
“Many attacks associated with the use of passwords are not affected by password complexity and length,” NIST wrote in an appendix to Special Publication 800-63B. “Keystroke logging, phishing and social engineering attacks are equally effective on lengthy, complex passwords as simple ones.”
It doesn’t matter how complex a password is if users hand them over unwittingly to hackers. Cisco’s 2017 Midyear Cybersecurity Report found $1.7 billion was stolen annually between October 2013 and December 2016 through social engineering schemes targeting businesses and workers.
NIST also recommended that organizations stop forcing users to change their passwords periodically, unless, of course, there’s evidence of a breach.
“Despite widespread frustration with the use of passwords from both a usability and security standpoint, they remain a very widely used form of authentication,” NIST wrote. “Humans, however, have only a limited ability to memorize complex, arbitrary secrets, so they often choose passwords that can be easily guessed.”