Remember our series on the concept of FUIT? That was the term that we used to describe users getting around IT restrictions (a.k.a. shadow IT, a result of the Consumerization of IT). Well, here’a another idea for the series: Try to get your IT department to adopt the new NIST password guidelines.
We can all agree that we hate password complexity and rotation requirements. At my company, like many others, we have to rotate passwords every 90 days, we can’t use dictionary words, and they have to include a capital letter, a lowercase letter, a number, and a special character. The amount of productivity lost from users having to change their passwords in several places (laptop, phone WiFi, phone email client, etc.) is staggering, and we know people are bad at creating and remembering passwords in general.
These old complexity requirements were outlined by the US National Institute of Standards and Technology, back in 2003. However, new draft guidelines were announced in June, in NIST Special Publication 800-63B: Digital Identity Guidelines. They say:
“Memorized secrets SHALL be at least 8 characters in length if chosen by the subscriber. [...] If the CSP or verifier disallows a chosen memorized secret based on its appearance on a blacklist of compromised values, the subscriber SHALL be required to choose a different memorized secret. No other complexity requirements for memorized secrets SHOULD be imposed.”
No time-based rotation, no special characters... as a user, this sounds great! (All those special characters are annoying to type on my phone!) There are a lot of other interesting things in the guidelines, like mentions of password managers and displaying passwords before they’re entered (both good things to do) and other more technical aspects. The appendix has a longer discussion about the strength of memorized secrets (i.e. passwords). The Wall Street Journal even had a story where the author of the old guidelines expressed regret and called them misguided. (This story is behind a paywall, but plenty of other tech outlets retold it.)
Of course, unlike the rest of our FUIT series, this isn’t something users can do on their own. But like other ideas some IT departments once resisted (such as enterprise file sync and share, cloud email, and BYOD) this is something that users would certainly appreciate, and could pay off in terms of productivity.
Adopting the new guidelines may end up happening alongside other projects (like MFA, IDaaS, and conditional and behavior-based access), and in general, this is a deep topic that companies will certainly take a lot of time consider. But either way, it’s time to re-examine identity and access management practices, including password complexity and rotation rules.