John Martin’s Post

𝗚𝗼𝗼𝗱𝗯𝘆𝗲 𝘁𝗼 𝗖𝗼𝗺𝗽𝗹𝗲𝘅 𝗣𝗮𝘀𝘀𝘄𝗼𝗿𝗱𝘀 𝗮𝗻𝗱 𝗠𝗮𝗻𝗱𝗮𝘁𝗼𝗿𝘆 𝗥𝗲𝘀𝗲𝘁𝘀!  NIST has recently updated draft version password guidelines. The new recommendations eliminate two long-standing practices: 𝗣𝗮𝘀𝘀𝘄𝗼𝗿𝗱 𝗖𝗼𝗺𝗽𝗹𝗲𝘅𝗶𝘁𝘆 𝗥𝗲𝗾𝘂𝗶𝗿𝗲𝗺𝗲𝗻𝘁𝘀: No more mandatory combinations of uppercase, lowercase, numbers, and symbols! Research shows that complexity doesn’t necessarily mean better security, and often leads to weaker password practices (like reusing passwords across platforms). 𝗠𝗮𝗻𝗱𝗮𝘁𝗼𝗿𝘆 𝗣𝗮𝘀𝘀𝘄𝗼𝗿𝗱 𝗥𝗲𝘀𝗲𝘁𝘀: Regularly resetting passwords might seem secure, but it can lead to simpler, easier-to-guess passwords over time. NIST now encourages a shift towards using multi-factor authentication (MFA) and monitoring for suspicious activity instead. These changes are part of a broader move toward prioritizing usability without compromising security. Reviewers are encouraged to comment and suggest changes via [email protected]. Deadline by 11:59pm Eastern Time on October 7th, 2024 What are your thoughts on this update? Will it simplify things for users while maintaining security? https://lnkd.in/gnhhrh3Q

Passwords may seem straightforward, but they can waste a lot of resources. From getting locked out of all applications or your laptop, to password resets and calls to the help desk, it's clear that passwords need modernization, especially with the rise of modern MFA (Multi-Factor Authentication) security enhancements. NIST, a U.S. government agency under the Department of Commerce, provides a framework of standards, guidelines, and best practices to help organizations effectively manage and reduce cybersecurity risks. Research has shown that typical password rules, like adding symbols or numbers, don't always make passwords significantly safer, as people often use predictable patterns. Longer passwords without obvious patterns are actually harder for attackers to crack. MFA enhances security by adding extra layers beyond just the password, such as a code sent to your phone or a fingerprint scan. Even if an attacker guesses your password, they still need another form of verification to access your account, making it much more secure. The days of static passwords and port-security are gone. Don't just modernize your password policy—modernize your entire authentication policy. This common-sense change requires a culture shift, but it's necessary, and now you have the documentation to support that change. https://lnkd.in/exZKkBaG

Funny timing writing about this last week and Hacker News hosting a webinar this week. Still time to catch it: * Mon, 7 Oct, 2024 12:30 PM Eastern Daylight Time * Tue, 8 Oct, 2024 01:00 PM Eastern Daylight Time * Tue, 8 Oct, 2024 05:00 PM Eastern Daylight Time * Wed, 9 Oct, 2024 11:00 AM Eastern Daylight Time What you will learn: * The State of Passwordless: Understand where passwordless solutions are being implemented successfully and how that plays a role in password security today. * The Role of MFA: Learn how MFA serves as a critical layer of security, providing enhanced protection even in a passwordless environment. We will discuss different types of MFA methods and how they can be effectively integrated. * Challenges and Considerations: the potential challenges and security considerations that come with implementing a passwordless strategy, and why passwords still play a crucial role in certain scenarios. * Security Authentication Today: Best practices today for security and authentication and the roles of passwords and MFA. https://lnkd.in/eeqWFmC4

One again, NIST recommended the right thing!!! NIST recently published SP 800-63-4, the latest version of the NIST Digital Identity Guidelines. A section of this document provides some much-needed password guidance, and end users will likely be happy once the authenticators embrace this new guidance! Here is what NIST is recommending! ** SHALL NOT impose other composition rules (e.g., requiring mixtures of different character types) for passwords ** SHALL NOT require users to change passwords periodically. ** SHALL force a change if there is evidence of compromise of the authenticator ** SHOULD require passwords to be a minimum of 15 characters in length ** SHOULD permit a maximum password length of at least 64 characters ** SHOULD accept all printing ASCII [RFC20] characters and the space character in passwords ** SHOULD accept Unicode [ISO/ISC 10646] characters in passwords ** SHALL NOT impose other composition rules (e.g., requiring mixtures of different character types) for passwords. ** SHALL NOT permit the subscriber to store a hint that is accessible to an unauthenticated claimant ** SHALL NOT prompt subscribers to use knowledge-based authentication (KBA) (e.g., “What was the name of your first pet?”) or security questions when choosing passwords. Here is the NIST doc. https://lnkd.in/eXemiqZY #password #password #security

The National Institute of Standards and Technology (NIST) recently released the updated Special Publications (SP) 800-63B, outlining the technical guidelines for organisations implementing digital identity services. See https://lnkd.in/gVT3sDei The "Password Verifiers" section outlines a 𝗺𝗼𝗿𝗲 𝗺𝗼𝗱𝗲𝗿𝗻 𝗮𝗽𝗽𝗿𝗼𝗮𝗰𝗵 𝘁𝗼 𝗽𝗮𝘀𝘀𝘄𝗼𝗿𝗱 𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆 and the move away from overly complex passwords and password policies. Instead, it emphasises using longer passwords and passphrases with more memorable combinations of words that reduce the predictability patterns that make them easier to crack. The new password requirements include several key updates: • 𝗣𝗮𝘀𝘀𝘄𝗼𝗿𝗱 𝗟𝗲𝗻𝗴𝘁𝗵: Emphasis is placed on 𝗹𝗼𝗻𝗴𝗲𝗿 𝗽𝗮𝘀𝘀𝘄𝗼𝗿𝗱𝘀 rather than complex composition rules. The minimum recommended length is 8 characters, the suggested length is 15, and the maximum length of at least 64 characters. • 𝗖𝗼𝗺𝗽𝗼𝘀𝗶𝘁𝗶𝗼𝗻 𝗥𝘂𝗹𝗲𝘀: Traditional complexity requirements (e.g., including uppercase letters, digits, and symbols) are 𝗻𝗼 𝗹𝗼𝗻𝗴𝗲𝗿 𝗿𝗲𝗰𝗼𝗺𝗺𝗲𝗻𝗱𝗲𝗱. Instead, users are encouraged to create longer, more memorable passwords. • 𝗣𝗮𝘀𝘀𝘄𝗼𝗿𝗱 𝗘𝘅𝗽𝗶𝗿𝗮𝘁𝗶𝗼𝗻: Routine 𝗽𝗮𝘀𝘀𝘄𝗼𝗿𝗱 𝗲𝘅𝗽𝗶𝗿𝗮𝘁𝗶𝗼𝗻 𝗶𝘀 𝗱𝗶𝘀𝗰𝗼𝘂𝗿𝗮𝗴𝗲𝗱 unless there is evidence of a compromise. • 𝗦𝗰𝗿𝗲𝗲𝗻𝗶𝗻𝗴 𝗔𝗴𝗮𝗶𝗻𝘀𝘁 𝗖𝗼𝗺𝗺𝗼𝗻 𝗣𝗮𝘀𝘀𝘄𝗼𝗿𝗱𝘀: Passwords should be 𝗰𝗵𝗲𝗰𝗸𝗲𝗱 𝗮𝗴𝗮𝗶𝗻𝘀𝘁 𝗹𝗶𝘀𝘁𝘀 𝗼𝗳 𝗰𝗼𝗺𝗺𝗼𝗻𝗹𝘆 𝘂𝘀𝗲𝗱 𝗼𝗿 𝗰𝗼𝗺𝗽𝗿𝗼𝗺𝗶𝘀𝗲𝗱 𝗽𝗮𝘀𝘀𝘄𝗼𝗿𝗱𝘀 to prevent easy guessing. • 𝗡𝗼 𝗞𝗻𝗼𝘄𝗹𝗲𝗱𝗴𝗲-𝗕𝗮𝘀𝗲𝗱 𝗔𝘂𝘁𝗵𝗲𝗻𝘁𝗶𝗰𝗮𝘁𝗶𝗼𝗻: Knowledge-based authentication (e.g., first pet) is 𝗱𝗶𝘀𝗰𝗼𝘂𝗿𝗮𝗴𝗲𝗱 due to its known vulnerability. • 𝗣𝗮𝘀𝘀𝘄𝗼𝗿𝗱 𝗠𝗮𝗻𝗮𝗴𝗲𝗿𝘀: Password managers are 𝗲𝗻𝗰𝗼𝘂𝗿𝗮𝗴𝗲𝗱 𝘁𝗼 𝗵𝗲𝗹𝗽 𝘂𝘀𝗲𝗿𝘀 𝗺𝗮𝗻𝗮𝗴𝗲 𝗽𝗮𝘀𝘀𝘄𝗼𝗿𝗱𝘀 securely. We always recommend implementing MFA and Conditional Access Policies to help protect your identities even further. And of course, you can always move to use passwordless authentication (or passkeys) and negate the need for a password at all! #BareCoveTechnology

Following much debate, NIST has revised its password best practices: No More Mandatory Password Changes NIST no longer recommends mandating regular password changes. The reasoning behind this suggestion is that people are more likely to make small adjustments to their current passwords when they change them frequently, which makes them weaker. Prioritize Length over Complexity Instead of complex password rules, NIST emphasizes the importance of password length. Longer passwords are generally more secure and easier for users to remember. Elimination of Arbitrary Complexity Rules NIST recommends removing requirements for special characters, uppercase letters, and numbers. Attackers can exploit the predictable patterns these rules often produce. Promotion of Password Managers It is now recommended that users utilize password managers to assist them in creating and organizing strong, distinct passwords for various accounts. Implementation of Multi-Factor Authentication MFA is highly recommended by NIST as an additional layer of security above passwords (this sounds like a no brainer). Password Screening It is recommended that organizations compare passwords with databases that contain compromised or frequently used passwords. This helps prevent the use of weak or previously exposed passwords. User-Friendly Policies The new rules' goal is to make password policies easier to use while still keeping users safe and reducing their frustration. These suggestions highlight a paradigm shift in password security by focusing on realistic actions that improve safety and ease of use.

NIST's New Password Guidelines: Simplicity Over Complexity In a significant shift, the National Institute of Standards and Technology (NIST) has made changes to its password management best practices, dropping long-standing rules around password complexity and mandatory resets. The latest draft of NIST’s password guidelines (SP 800-63-4) reflects an evolving understanding of what truly enhances security. Here's what's new: No More Complexity for Complexity's Sake NIST is no longer recommending that users create passwords with a mix of uppercase, lowercase, numbers, and special characters. Why? Because complexity doesn’t always mean stronger security—think "Password123!" Complex passwords often end up being predictable, reused, or written down. No More Routine Password Resets Gone are the days of mandatory resets every 60-90 days. Research shows frequent changes can lead to weaker, easier-to-guess passwords. Going forward, resets are recommended *only if there’s a known breach*. Instead of complexity, the new focus is on *password length*: - Minimum of 8 characters (but I highly recommend at least 15) - Support for passwords up to 64 characters - Allowing ASCII and Unicode characters Why length matters? To put it in perspective, while the new guidelines allow for an 8-character minimum, an 8-character password can be cracked in minutes using modern brute-force techniques. In contrast, a 15-character password could take centuries to crack with the same tools. The difference in security is enormous, which is why I recommend adopting the a 15-character password length whenever possible. This shift in NIST’s language is also critical: what were once suggestions are now requirements, using “shall not” instead of “should not.” By removing complexity requirements and focusing on length, NIST aims to create password guidelines that foster security without sacrificing usability. Longer passwords are harder to crack and easier to remember. Although NIST’s minimum is 8 characters, aiming for 15 or more will significantly boost your security. Organizations should adopt these updated guidelines to reduce risks and simplify password management for users. #Cybersecurity #NIST #PasswordSecurity #TechUpdates #InformationSecurity #BestPractices #PasswordLengthMatters #AdvisorDefense https://lnkd.in/dHpmsnpC

NIST's updated guidelines for password security now state: Verifiers and credential service providers (CSPs) must not impose specific character composition rules (like requiring a mix of character types). Verifiers and CSPs must not require periodic password changes, except in cases where there is evidence of a security compromise. The updated guidelines also include several other changes: Passwords must be at least eight characters long, with a recommendation of a minimum of 15 characters. Systems should allow passwords up to 64 characters in length. All printable ASCII characters, including spaces, should be allowed in passwords. Unicode characters should also be permitted, with each character counted as one unit for password length purposes. Password truncation should not be allowed, meaning the full password must be verified. Systems must not offer password hints accessible to unauthorized users. Knowledge-based authentication (like security questions) should no longer be used. https://lnkd.in/enWCvZtG

We keep hearing that passwords should be rotated periodically. Vendors like to showcase how they check and enforce rotation policies. Security consultants check whether it is implemented and stress how important it is. Relevant standards and frameworks (ENS, I'm looking at you) require organizations to implement it. Sorry, but blindly enforced password rotation policies are dumb and always have been. Password rotation represents a tradeoff between different risks; enforcing password rotations for all users is a clear net loss. SANS has been suggesting ending the practice for years. Now, the latest update to NIST Special Publication SP800-63 finally states: "Verifiers and CSPs [Credential Service Providers] SHALL NOT require users to change passwords periodically. However, verifiers SHALL force a change if there is evidence of compromise of the authenticator." https://lnkd.in/dXkG8e-r How long will it take that idea to reach security consultants, auditors, standards and regulations?

NIST Recommends New Guidelines For Password Security: The updated guidelines also include several other changes: - Passwords must be at least eight characters long, with a recommendation of a minimum of 15 characters. - Systems should allow passwords up to 64 characters in length. - All printable ASCII characters, including spaces, should be allowed in passwords. - Unicode characters should also be permitted, with each character counted as one unit for password length purposes. - Password truncation should not be allowed, meaning the full password must be verified. - Systems must not offer password hints accessible to unauthorized users. - Knowledge-based authentication (like security questions) should no longer be used. Read the full document here: https://lnkd.in/ghYgfUhV