Monday will be the final day for the public to comment on
For banks and credit unions, simplified password rules would reduce friction in online and mobile banking while improving security. The recommendations from NIST provide a kind of green light to any institutions hoping to implement similar changes to their password requirements.
In the place of password complexity rules, NIST suggests companies check passwords against a blocklist, which would include passwords leaked in breaches and one-word passwords that are easily guessed (such as "password" or the name of the service).
Complicated password requirements often create a maze that frustrates users attempting to create secure passwords. These rules have inspired
Often,
"Highly complex passwords introduce a new potential vulnerability: they are less likely to be memorable and more likely to be written down or stored electronically in an unsafe manner," the agency said in its proposed rules. "While these practices are not necessarily vulnerable, some methods of recording such secrets will be."
More importantly, though,
"This is due to a subset of the users picking easy-to-guess passwords that still comply with the password creation policy in place, for example 'Password!1'," the paper stated.
While less complex passwords would still be vulnerable to these predictable behaviors, NIST's proposal requires agencies to provide users guidance on choosing a stronger password if their submitted one is found on a blocklist. This, the agency says, discourages trivial modifications to weak passwords.
While password complexity rules have the theoretical advantages of requiring users to use unique passwords that are harder to crack, they often just push users to use predictable variations of the same password they use everywhere else. That's according to
"This doesn't necessarily mean that all password complexity rules should be removed, but that we need to reconsider what makes a password complex while also considering its usefulness," Enzoic said in the post. "This is why the NIST password guidelines and many other organizations are removing the requirement for special characters in passwords."
Frustratingly for users, companies and agencies often thwart their attempts to create memorable passwords — such as sentences or phrases — by disallowing certain characters in their passwords, such as spaces.
Companies often disallow these characters in passwords as a means of thwarting
Hashing a password transforms it into text that cannot be used in injection attacks. It is a one-way function that turns passwords into a string of characters with a fixed length. Hashing the same password always yields the same result, which is how companies should authenticate passwords. Taking a hash and trying to revert it to the password, however, is designed to be impossible.
Rather than enforce rules on the composition of a password, companies should focus on the length of the password as the "primary factor in characterizing password strength," according to NIST's proposed rules.
Notably, the proposed rules also encourage companies to increase the maximum number of characters a user can use in their password to at least 64, or even longer for better results.
"Users should be encouraged to make their passwords as lengthy as they want, within reason," the proposed rules read.
The only limiting factor for how long a password should be is how long it takes to hash it. This time increases for "extremely long passwords (perhaps megabytes long)," according to NIST's proposed rule. A password that long would contain millions of characters, making it longer than the book Moby-Dick.
