In June 2017, the National Institute of Standards and Technology (NIST) issued new guidelines related to passwords and management of user logins. These new guidelines contain some surprising new recommendations and, in some cases, reversed prior guidelines or commonly accepted security practices.
We have summarized the changes to the Federal logins and password management guidelines below. The newly updated standard can be found on NISTs website.
What has changed in federal authentication management guidelines:
Passwords should be longer:
- 8 character passwords is the absolute minimum; 10-12 characters or longer is recommended
- Passwords up to 64 characters should be allowed
- Requiring mixed case, numbers or special characters is no longer recommended:
- Does not necessarily increase password strength
- Makes it harder for users to choose “memorable” passwords
Requiring users to periodically change their passwords is also no longer recommended:
- May also prevent users from choosing memorable passwords
- Only require a change if there is suspicion that a password has been compromised
Password “hints” to recover a password is no longer recommended
- Thanks to social media, these are often easily guessed
Password selection software should not allow “obvious” passwords:
- Common words, words related to the user, repeated letters, numeric
- Sequences, etc. (e.g, “password123”, “johnsmith”, or “abcabcabc”)
Login software should include features to prevent brute force attacks:
- Delays between login attempts
- Lock account after a number of failed attempts
Two-factor authentication, where users must also enter a code they receive via a text message, email or a hardware device, is encouraged to strengthen user authentication.
What has not changed
- User IDs and passwords should uniquely identify a user
- Passwords should never be transmitted or stored without being encrypted
It is recommended that Organizations, especially those in the healthcare industry, adopt these new guidelines from NIST. Simple changes such as changing your organization’s password policy can have a significant positive impact on the organization’s overall security posture.