Experts from North American Institute of Technology and Standards (NIST) have updated their guidelines to ensure password security, removing the recommendation to change passwords periodically given that can create the opposite effect by causing users to increasingly look for less secure password options.
Passwords are one of the most used forms of authentication by users, whether when logging into a service, as a barrier to storing personal information or to unlock devices.
It is a code composed of a series of characters that users secretly generate. In this sense, in order to guarantee the security of these keys, experts usually recommend that they reach a certain length and combine letters, numbers, symbols, uppercase and lowercase letters, and even indicate the need to change them from time to time to prevent them from being broken. use in case of filtration.
These types of guidelines have been recommended in recent years as reliable security measures, however, the NIST, American organization dedicated to setting technological standards for government and private organizations, has dismantled some of these recommendations in his last public draft of the Digital Identity Guidelines document.
Specifically, one of these rectifications review the recommendation to periodically change passwords. As detailed by NIST in the Password Authenticators section, verifiers and content security policies (CSP) “users should not be required” to carry out this recommendationunless there is a evidence that “the authenticator is compromised”.
This is because, as the organization has explained, the Users tend to generate increasingly simple passwords that they can remember when they have to change them regularly. This makes them less resistant to cyber attacks and data leaks.
On the other hand, NIST experts have also made reference to the recommendation of using different types of characters within the same password. In this regard, it has been detailed that verifiers and CSPs “should not impose other composition rules” for passwords.
Although these composition rules are used to increase the difficulty in guessing user-chosen passwords, “recent research has shown that “Users respond in very predictable ways to the requirements imposed by the composition rules.”
As they point out, these rules They only cause changes such as entering a number or symbol that is completely predictable for cybercriminals. For example, a user who chooses the word ‘password’ as a password, “would be relatively likely to choose ‘Password1’ if asked to include a capital letter and a number or ‘Password1!’ if a symbol is also required.”
“Los Analysis of breached password databases reveals that the benefit of such rules is less significant than initially thoughtand the impacts on usability and memorability are serious”, NIST has ruled on the matter.
Despite these changes in recommendations, experts have also maintained other guidelines, such as achieve an appropriate character length when generating a password to increase the difficulty.
Specifically, the organization has detailed that verifiers and CSPs “must demand Passwords must be a minimum of eight characters long“, although it has also pointed out that, to guarantee security, passwords should be required to be a minimum of 15 characters in length. However, they have specified that the Recommended maximum length for passwords is 64 characters.