Obsolete password policies frustrate users. User friendly password policies actually increase security.
The National Institute of Standards and Technology (NIST) published new Digital Identity Guidelines this past June. The new guidelines address my pet peeves about the password policies you’ll find in most enterprises, on websites, and commercial software products.
Number one on my list is infuriating password complexity rules. You know the ones I’m talking about; “passwords must be at least 8 characters long and contain at least one special character (but not ^, #, -, or space), an upper case character and one number evenly divisible by 3”. And I have special love for password entry forms that let me enter a password and only then tell me their restrictions.
The new guidelines1 endorse pass phrases2. Here’s an example, “I’ve been juggling budgets since 1981!” That’s a thirty-eight character password that a user can actually remember and is more secure than a shorter password like Pa$$w0rd1. It also meets most complexity requirements, if you allow spaces!
The next irritant addressed is password expiration. That probably surprises you, right? Password expiration polices are so ingrained that their use is accepted without question. Technology and threats change. Password expiration policies are based on an obsolete threat model, incur support and productivity costs, and do little to mitigate risk. Here’s a short, authoritative article that gives more details; Time for Password Expiration to Die.
Finally, password entry fields should allow users to paste passwords in the field instead of forcing them to type the password in manually. NIST is implicitly endorsing the use of password managers. A trustworthy password manager is the only sensible way for users to use secure, separate passwords for all the services that are a part of their lives.
PCMag.com has a good review of the top password managers. I use 1Password, mainly because it has excellent support for the Apple ecosystem. I recommend LastPass to Windows users. By using a password manager, I only need to remember three pass phrases. The primary one is my domain password, the second is the master password for my password manager, the other is for the cloud service that contains my password vault in case I need to setup a new environment from scratch.
Each of my three pass phrases is over 50 characters long, but they are memorable phrases that I have no trouble recalling. And, since they don’t expire, my muscle memory allows me to type them in rapidly. The password manager will generate and remember long complex passwords for all the other sites and services and I can devote my shrinking hippocampus to better things.
It’s not often you can make life easier for your users and your systems more secure at the same time.
- The password section starts on page 13 of this document; https://doi.org/10.6028/NIST.SP.800-63b ↩
- A passphrase is a memorized secret consisting of a sequence of words or other text that a claimant uses to authenticate their identity. A passphrase is similar to a password in usage, but is generally longer for added security. ↩