It seems apparent that the United States government is FINALLY ready to recognize that easier/simpler is better, and in fact act on it.
While cyber breaches are becoming everyday news and no longer raise eyebrows, it is understandable that one of the key vulnerabilities enabling anyone to access anyone else’s data is the ease with which the passwords can be accessed or breached.
The problem is that the average person has numerous places in which they store passwords and the current protocol of 6-8 characters with at least one letter being capital and at least one being a special character creates a challenge in memorizing the many different passwords a person has. Conversely, if they keep one password, it means that if someone breaches one account they have access to all of the accounts. The current system where government and corporate websites require changing passwords at regular intervals, e.g. 30 or 60 days, only compounds the problem. As such, the user is faced with a dilemma. How does one remember all of these passwords that are nonsensical, ever-changing, and usually significant in number?
The National Institute of Standards and Technology (NIST) is an agency of the Department of Commerce. The federal government is supposed to follow NIST’s directives, HHS directs Covered Entities and Business Associates to draw guidance from NIST, and NIST’s directives generally trickle down to corporate America and thereby to individual users. NIST is now developing a major overhaul to the rationale behind – and the resultant protocols for – passwords.
NIST seems to be working with the basic premises that most people make sure that others are not looking over their shoulder when they enter their passwords, that the current system of random passwords with uppercase and lowercase letters and special characters that are confined to 6-8 characters are burdensome to computer users, and as such it may force people to write down their passwords somewhere. In addition, the number of characters used allows for computer programs to run through lists (dictionaries) of previously broken and common passwords, as well as using software that can run through the permutations that can be contained in a small 6-8 character password.
To answer these issues and the resulting vulnerabilities of general computer security, NIST is effectively in the final stages of developing dramatically new protocols which include:
- Minimum password size of 8 characters, maximum of at least 64 characters.
- With a strong recommendation that all passwords have a minimum of 15 characters, in an easy to enter, easy to remember phrase.
- Spaces may be used in passwords.
- All ASCII characters may be used in a password.
- All Unicode characters should (not must) be accepted for passwords, including emojis.
- Password hints and prompts shall not be used.
- Note: Using a password hint makes it too easy for an attacker to find the answer to a hint through social media etc.
- 2-factor authentication via SMS (texts to your cell phone to authenticate) is being depreciated, and may be recommended against! This is huge, as using SMS may be intercepted or compromised via smartphone malware and other tactics.
- Secondary authentication with a Minimum PIN size of 8 characters or 6 random digits.
- It is most likely that biometrics will become the new standard for 2-factor authentication (see next).
- Biometrics shall be bound to a specific device that uses approved encryption, with a hard limit of 10 consecutive failed attempts.
In summary, it appears that the direction NIST is taking favors large easy to remember passwords that may be a string of sentences with full punctuation and an occasional emoji to bolster password security. It is almost like a breath of fresh air to see the government recognize that efficacy and implementation are improved by simplifying the process. If only this rationale could be extended to the myriad regulations and statutes which are growing in both volume and complexity at an alarming rate.