NIST Standards Proposal Looks to Retire Outdated Authentication Requirements Like Mandatory Password Resets
That makes sense: What’s more aggravating than having to change your password periodically? I worked for one company that required it every three months, plus they had all these other rules about what the password could and could not contain. Standard regulators now declare that most credential rules are obsolete and unnecessary.
The National Institute of Standards and Technology (NIST) has proposed new credential standards it wishes to adopt. The second draft of Special Publication 800-63-4 is posted to the NIST website, awaiting public feedback on the suggested password and authentication guidelines.
The outline of standards is no-nonsense but flies in the face of the annoying password regimen many companies and agencies employ. Some examples include mandating password resets, limiting character usage, requiring certain character combinations, and using security questions. These requirements are largely unnecessary. They are outdated relics, hailing from a time when the internet was still new, and most people didn’t understand proper security hygiene.
As Microsoft indicated in its 2019 Security Baseline, many of these rules actually promote bad security hygiene. For example, requiring employees to change their passwords frequently encourages them to use weaker passwords that are easier to remember or create, and therefore, easier to crack. The FTC agrees.
The same goes for rules that call for character specifics, such as “passwords must contain at least eight characters with a minimum of one uppercase and lowercase letter, one special symbol (like punctuation), and at least one numeral.” These tight restrictions tend to lead people to use passwords like BigToe@1 (a former coworker actually used that one).
While anybody is free to read and comment on SP 800-63-4, it is a challenging and long read, thanks to all the bureaucratic lingo and lengthy explanations. It’s so loaded that the organization felt it was necessary to devote a section to defining the meanings of the words “shall, shall not,” “should,” “should not,” and other simple terms. The document basically boils down to nine requirements and suggestions.
Password Verifiers or Verification Service Providers:
Rule eight is quite sensible considering the lunacy of the assumption that hackers couldn’t know or figure out a target’s high school mascot or a maiden name. However, number seven seems like a Catch-22. You can only see your password hint if you are authenticated, but you can’t be authenticated if you can’t remember your password without the hint. Other than that, the guidelines seem like common sense, which I find lacking in general these days.
The NIST governs standards within the government and has no enforcement authority over private companies. For example, it ensures that all fire hydrants use standardized fittings and deliver the same amount of water no matter where you go, as well as standards for maintenance.
Generally, only government agencies and companies or organizations that deal directly with the government are held to these rules. For instance, the IRS must adopt NIST guidelines, but Meta can ignore them. That said, many NIST standards trickle down to private organizations within the industries that the rules apply. The NIST Cybersecurity Framework is a good example.
