Disclaimer: This blog article was written by an AdvancedMD partner. The views and opinions expressed in this article are those of the author(s) and do not necessarily reflect the official policy or position of AdvancedMD.
National Institute of Standards and Technology (NIST) released NIST Special Publication 800-63B Digital Identity Guidelines. The new guidelines represent some significant changes to password management. There are three significant changes.
1: Remove Periodic Password Change Requirements
The thought behind the requirement to implement frequent password changes is that this would increase the security of passwords. This does not really work due to how most people change their passwords. For example, if your current Password is PASSWORD when a user is required to change their password the user usually would change it to PASSWORD1, and the next time they need to change the password, it becomes PASSWORD2.
Changes to the password of this nature do not really improve security, so NIST has removed the recommendation that systems require periodic password changes. These changes only create busy work for users and do not improve security of the passwords.
2: Require Length and Remove Password Complexity
The thought was that requiring Uppercase letters, Lowercase letters, numbers, and symbols increased the complexity of a password and made it more difficult to break the password.
Passwords that had these requirements resulted in user frustration and caused users to select predictable patterns that worked against security. Research determined that, when a capital letter was required in an extremely high number of cases, that character will be the first character for a human derived password. If symbols or numbers are required, those will tend to be appended to the end of a password merely to satisfy the requirement.
A password that is 12 characters long that does not require this combination of characters is more complex than an 8-character password that requires the combination of characters. Therefore, a password that is 12 characters long is simply more secure.
3: Implement Screening of New Passwords
We have always verbally told people not to use dictionary words, names, birthdates, or repeating characters. This is still true, NIST now recommends that software implement tools that screen passwords for these patterns and to not allow users to select passwords that have these features that can compromise the security of the passwords.
TLD Systems has one more recommendation that is not part of the NIST Guidelines. You should monitor your account for data breaches. In the past week data breaches were announced by both Facebook and LinkedIn. If you learn of a data breach that involves an account of yours, then you should change your password immediately. TLD Systems is in the process of implementing changes to its system to reflect the new guidelines.