New Guidance Suggests that Companies Revisit their Password Policies

By Jeff Kosseff

Companies should review their policies on the passwords required to access their information systems to ensure that they comply with evolving federal standards.

The National Institute of Standards and Technology (NIST) is revising Special Publication 800-63B, Digital Identity Guidelines for authentication. Although the NIST guidelines are drafted primarily for federal government agencies, private companies often follow NIST standards in an attempt to adopt best practices. If a company faces a regulatory action or lawsuit after a data breach, it could point to its adoption of NIST standards as evidence of adequate data security.

The May 2017 draft of the NIST guidelines suggest that organizations abandon the time-honored practice of requiring periodic password changes. Instead, the draft suggests that individuals only be required to change their passwords upon receiving evidence that the passwords were compromised.

The draft also suggests that users consider longer passwords. NIST recommends that organizations allow at least 64 characters, so that individuals could use large passphrases. NIST suggests that organizations encourage their users to make passwords "as lengthy as they want, using any characters they like (including spaces)" to increase the ease of memorization. For instance, rather than using her birthday or the name of her favorite pet, an employee might choose a few lines from her favorite song.

Notably, NIST also suggests that organizations abandon the practice of requiring composition rules (e.g., one capital letter, one numeral, and one special character).

NIST also recommends that organizations prevent users from choosing common passwords (such as "1234abcd"), dictionary words, and passwords that were compromised in previous data breaches. NIST continues to recommend that organizations limit the number of unsuccessful login attempts.

The NIST guidelines are part of the rapidly evolving expectations for passwords and other information security controls. Companies should routinely review all cybersecurity policies and procedures to ensure that they are in line with best practices.

Note: This Bulletin is not intended as legal advice. Readers should seek professional legal counseling before acting on the information it contains.