A change to the industry thinking on password recommendations?

My company just sent out this message to “align with cyber security industry recommendations”.

  1. Minimum 12 characters
  2. No complexity requirement—passwords may be a memorable phrase or sentence, with no required combination of letter cases, special characters or numbers

Did I miss something? Was I in the bathroom when the industry decided complexity doesn’t matter? What?!?

I get that users game the password complexity requirements sometimes, but surely the requirement is good for something.

1 Like

The issue with complexity is that it forces users that can’t remember long complex passwords to write them down.
Personally, I’d rather have a complex password.

1 Like

It should be noted that sane people recommend a password manager still, and then you can have just one complex password to manage and the rest managed for you.

1 Like

Sounds like they’re following NIST guidelines for auth policies. NIST dropped complexity requirements earlier this year.

NIST research showed that users respond to complexity requirements in predictable ways. So predictable, I suppose, that it negates cryptographic benefits of the extra characters.

The guidelines are defined in this publication if you are really curious - https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf

2 Likes

Yes, I use a password manager. However it is not really usable for my corporate password.

I believe that corporations who wish more security and convenience for their employees will adapt to use 2FA for logon. Smart Cards, Yubikeys and other solutions all exist, and can be integrated into corporate login processes.

Right, now that you mention it, I seem to remember hearing that NIST news go by. I guess they have to make recommendations based on what the data tells them, but in this case, I think they drew the wrong conclusion. Complexity is still good, and storing complex passwords in an unsafe manner is bad, so why not focus on encouraging the use of password managers? We all know that this is probably the best way to handle it today, so why not show the masses how to use a password manager safely instead of telling them to go back to using “monkey” as their password? They’re sending the message that complexity is not important, which is incorrect.

I guess the point is: if “monkey” was bad and people gamed the complexity checker by using “Monkey1!”, that doesn’t mean you tell people to go back to “monkey”.

I think they’re actually wanting to send the message that length is more important than any other factor. (Because once the password hashes leak or are captured, and cracking against them starts, length is what is protecting you much more than complexity.)

Steve Gibson covered this ages ago,


see his example of:

D0g.....................
vs
PrXyc.N(n4k77#L!eVdAfp9

2 Likes

My corporate login (from outside my network) most definitely requires MFA. My point is that I have to type my password into my laptop to unlock it, so its not a good use case for a password manager. For any cloud resource we use, our preference is to use SAML authentication against our ADFS environment that requires MFA.

My point was you don’t need a stupidly complex password for corporate login if you have 2FA. And then once you’re logged in, the password manager can manage all the rest.

My work recently increased the number of characters required, increased the complexity requirements, started tracking more of the previously used passwords, and started looking at what was done (not allowing sequential numbers, birth dates, anniversaries, etc. even if it was complicated)…

Still better than a school I went attended. You just used your school account to login, but different login sites had different maximum password length restrictions on the field. E.g. your password would work for the Account login, but not for the Library, and after you shortened it to work for both, it still wouldn’t work for the Theatre. No, they did not use a single sign-on for each location.

Sigh…

1 Like

A school I’ve done some work for got hit over the summer. They never enforced password changes and it was easy to figure out the password. That changed…

At the end of the day, if your only protection is a single password, there has to be enough strong requirements for it that its not easily guessed, but not too difficult that you don’t end up with “sticky note syndrome”. At a minimum, having MFA would definitely ease things, but if you aren’t using it, its a culture shock for users. Fortunately, things are much better today with options and enrollment. At one point, the only real option was a hardware key. Then when smart phones came around, you got an app for a software token. Now there are a multitude of solutions that support push, along with easy user enrollment. In reality, for a corporate environment, at this point there is really no excuse to not have MFA for any form of remote access.