NIST shakes up password requirements, vendors approve
Vendors last week approved a recently released draft of the National Institute of Standards and Technology’s (NIST's) digital identity guidelines that revised password security recommendations, altering or eliminating many of the standards and best practices security professionals have used for year, according to CSO Online and Threatpost.
"We are glad to see national organizations like NIST recommend an update and change to a paradigm that no longer works," Phil Dunkelberger, CEO of Nok Nok Labs told CSO.
- The new framework recommends changing some of the oldest recommended password practices, such as periodic password change requirements and arbitrary password complexity requirements requiring a mix of upper case letters, symbols and numbers.
The password requirements of yesterday are no longer effective in today’s threat environment. The bad guys know all of the tricks, so NIST wants to get rid of the old and focus on figuring out something new that might actually work.
More tech companies have been moving away from passwords and toward multistep and multifactor authentication and physical keys. Last month, Microsoft revealed phone sign-in for Microsoft accounts, a new sign-in feature that the company says will eliminate the traditional password. Google announced a similar approach last summer.
Other companies are looking for even more unique new ways to verify someone’s identity. Researchers at Binghamton State University recently reported they are experimenting with a new security technique for accessing medical records that would create an encryption key using patients' electrocardiograph readings.
Traditional passwords are easily forgotten and easily stolen. More than three billion user credentials and passwords were stolen in 2016, according to a report from Thycotic and Cybersecurity Ventures. That breaks down to 8.2 million passwords stolen every day and approximately 95 passwords stolen every second. Yahoo alone, for example, disclosed cybercriminals had accessed account information for at least one billion accounts.