Identity, Security Program Controls/Technologies, Endpoint/Device Security

NIST Password Guidance Should Be Well-Received

Author: Robert Clyde
Author: Robert Clyde

Many of us are creatures of habit, and changing our ways can be difficult. It is much easier to do so, however, when the new way is more convenient – not to mention more secure – than the old method.

That’s just the case with password guidance from NIST, released in June. The guidance calls for longer phrases that are easier to remember, as opposed to use of special characters, blends of uppercase and lowercase letters, and frequent password resets – all hallmarks of NIST’s previous, well-entrenched password guidance.

This move toward improved usability was not done at the cost of sound security. In fact, the creator of NIST’s previous direction on passwords, Bill Burr, acknowledged to The Wall Street Journal that the older guidance was “barking up the wrong tree,” and not based on the caliber of data that he would have preferred. The new password guidance will make for passwords that are actually more difficult to hack.

While NIST’s new guidance figures to be well-received, raising awareness is the short-term challenge.

An ISACA micro-poll, conducted just after NIST’s announcement, showed that the majority of the respondents – audit and security professionals at organizations with more than 5,000 employees – were unaware of the new guidance, and consequently unsure how quickly it could be implemented. While those results are no surprise given how fresh the guidance is, it reinforces that there is much awareness-spreading to be done – including at ISACA. We have a range of opportunities to support NIST’s guidance by updating the training and education materials we offer our professional community, as well as reinforcing the change at ISACA conferences and through our exam procedures.

At the enterprise level, changing password policies is a necessary first step before implementation. Otherwise, enterprises will be implementing password procedures that may contradict existing policies, which could cause headaches when external auditors flag the disconnect.

Emphasizing multifactor authentication is another important piece of the puzzle. The majority of respondents to ISACA’s poll indicated that less than half of their applications require two or multifactor authentication – a practice that should be adopted more widely and is strongly advocated by NIST. Multifactor authentication should be more accessible than ever given the advancement of fingerprint and facial recognition technology. Even when multifactor authentication is in use, NIST’s new password guidance remains relevant, since passwords often are among the factors being used.

We are in the early stages of what will be a major course correction on passwords. NIST’s previous guidance is heavily entrenched, with 95% of respondents to ISACA’s poll indicating their enterprise adheres to practices such as frequently causing passwords to expire and requiring passwords to contain lower and uppercase letters, numbers or special symbols. Users on the other hand, have frequently complained about the difficulty of remembering complex passwords and having to cope with expired passwords. Chances are they will welcome this more user-friendly NIST guidance.

The level of buy-in for the previous NIST password guidance did not happen overnight, and it will not be the case this time, either. But given the opportunity to simultaneously improve security and alleviate password frustrations of the status quo, it only is a matter of time before NIST’s new guidance gains widespread momentum.

Editor’s note: For additional ISACA resources related to NIST’s password guidance, see our analysis brief and a related PowerPoint deck.

Robert Clyde, CISM, is Vice-Chair of ISACA’s Board of Directors. Read more ISACA blogs here.