We’ve all got password fatigue, but are NIST’s new policies wise?

Ah the necessary evil of passwords.

Those of us who have worked in organizations that require users to change passwords at set intervals know what I mean.

Typically every three to six months, users are requested to perform a password change – maybe in the form of an annoying pop-up alert. In some setups, the user is lock out of the system until a new memorable password (but one that follows the complex password creation guidelines) is set.

A commenter on Slashdot said his previous organisation demanded a password change every 45 days. Gulp. 

Under that pressure, is it surprising that so many users forget their new passwords or resort to cobbling together poor passwords?

But, it’s no picnic for IT teams either. IT represents one of the most under-resourced, yet critical departments in many an organization. The regularly changing your password policy demands that IT manage this whole process, including when users forget their ‘memorable’ passwords.  It takes time, effort and money to run this security policy.

And part of the reason regular password reset have been enforced is because organizations like the United States National Institute for Standards and Technology (NIST) have advocated this approach….until last week.

New Password Guidelines from NIST

NIST released a new draft of its Digital Identity Guidelines: The Special Publication 800-63-3b.  No longer does NIST recommend forced password changes or additional complexities when asking users to select a password.

In fact, they seem to prefer the term Memorized Secrets, over passwords:

“A Memorized Secret authenticator (commonly referred to as a password or, if numeric, a PIN) is a secret value that is intended to be chosen and memorable by the user. Memorized secrets need to be of sufficient complexity and secrecy that it would be impractical for an attacker to guess or otherwise discover the correct secret value.”

In fact, way back in 2009, NIST admitted that enforced password changes were a source of frustration to the user. 

According to the NIST guidelines, the new draft rules on password policies include:

For the IT security industry, this is a big deal, and a contentious one. Reputable experts around the world are split on this issue.
See what side of the fence you sit on:
Arguments for regularly changing your passwords
If your details get stolen directly or via a third-party, you are only vulnerable for a set amount of time, as opposed to indefinitely.
It forces IT to review account permissions and ensure only authorized users have access.
Remote network access increases a firm’s exposure to risk, so changing passwords after sessions reduces the likelihood of unauthorised access.
Arguments for regularly changing your passwords
Users forced to change passwords often are more likely to use bad passwords
Users are more likely to use the same passwords for multiple accounts
Frustrated users are more likely to create secret work-arounds to simplify the process which may put the organization at increased risk.
Oh, and before you make your decision, check out NIST’s list of mitigation tactics against authenticator threats. We find it quite comprehensive. New mitigation approaches and technologies – and indeed new threats – have changed the threatscape. See section 8.2  of the Digital Identities draft.
We’d love to hear your thoughts on the topic, especially if you manage an IT environment that enforces regular password changes.
Do you think that enforced password changes are worth the hassle and improve security, or do their inherent cons make this policy more of a liability? What about passphrases vs passwords? Do you like this idea of migrating the concept of passcodes to Memorized Secret?
And most importantly, do you think this is the right step for NIST?

Previous ArticleWannaCry’s Kill Switch won’t work for proxy users. Patch now. Next ArticleEU GDPR demystified: a straight-forward guide for US firms (PART 1)