Experts from the North American Institute of Technology and Standards (NIST) have updated their guidelines to ensure the password securityeliminating the recommendation to change passwords periodically, as it can create the opposite effect by causing users to increasingly look for less secure password options.
Passwords are one of the most used forms of authentication by users, whether when logging into a service, as a barrier to store personal information or to unlock devices.
It is a code made up of a series of characters that users secretly generate. In this sense, in order to guarantee the security of these keys, experts usually recommend that they reach a certain length and combine letters, numbers, symbols, uppercase and lowercase letters, and even indicate the need to change them from time to time to prevent them from being broken. use in case of filtration.
These types of guidelines have been recommended in recent years as reliable security measures, however, NIST, an American organization dedicated to setting technological standards for government and private organizations, has dismantled some of these recommendations in its latest public draft of the guidance document. Guidelines on digital identity.
Specifically, one of these corrections reviews the recommendation to periodically change passwords. As NIST details in the Password Authenticators section, verifiers and content security policies (CSPs) “should not require users” to carry out this recommendation, unless there is evidence that “ the authenticator is compromised.”
This is because, as the organization has explained, users tend to generate increasingly simple passwords that they can remember when they have to change them on a regular basis. This makes them less resistant to cyber attacks and data leaks.
On the other hand, NIST experts have also made reference to the recommendation of using different types of characters within the same password. In this regard, it has been detailed that verifiers and CSPs “should not impose other composition rules” for passwords.
Although these composition rules are used to increase the difficulty in guessing the passwords chosen by the user, “recent research has shown that users respond in very predictable ways to the requirements imposed by the composition rules.”
LOOK: The end of captchas? Artificial intelligence surpasses them 100%
As they point out, these rules only cause changes such as introducing a number or symbol that is completely predictable for cybercriminals. For example, a user who chooses the word ‘password’ as a password, “would be relatively likely to choose ‘Password1’ if asked to include a capital letter and a number or ‘Password1!’ if a symbol is also required.”
“Analyses of breached password databases reveal that the benefit of such rules is less significant than initially thought, and the impacts on usability and memorability are serious,” NIST stated.
Despite these changes in recommendations, experts have also maintained other guidelines, such as reaching an appropriate character length when generating a password to increase difficulty.
Specifically, the agency has detailed that verifiers and CSPs “must require that passwords be a minimum of eight characters in length,” although it has also indicated that, to guarantee security, passwords should be required to be a minimum of 15 characters long. However, they have specified that the maximum recommended length for passwords is 64 characters.