We’ve all heard the password guidance suggesting length, special characters, and a regular change of your password. Well, it turns out this guidance – and the use of security questions – may not be the best approach to protecting access and identity.

Old Guidance and Techniques

Password policies and guidance have delivered the same recommendations for many years: use a long password, use both upper- and lower case, use numbers, use special characters, don’t use repeating characters, don’t use your name, don’t use calendar dates. And remembers to change your password regularly.

A more recent access protection technique, security questions (also known as knowledge-based authentication), requires the knowledge of private information of the individual to prove that the person providing the identity information is the owner of the identity. So, if you’ve ever been asked ‘Where did you attend high school?’ when creating an account, you’ve encountered a security question.

Recent published guidelines from the US National Institute for Standards and Technology (NIST) encourage users and organizations to rethink the use of passwords and security questions.

The NIST Digital Identity Guidelines

NIST recently published their Digital Identity Guidelines, and there are several recommendations that radically change how you should approach your next password creation or login activity.

Forget complexity. NIST notes that password composition rules, which require the user to choose passwords constructed using a mix of character types, such as at least one digit, uppercase letter, and symbol are not as beneficial as once thought, and the impact on usability and memorability is severe, causing users to find workarounds that are harmful to security. NIST notes that many attacks associated with the use of passwords are not affected by password complexity and length.

Cyber security expert Stefan Savage notes:

“…it’s deeply ingrained in corporate culture that we are taught we have to have long, complicated passwords and change them frequently. And that one makes a ton of sense on its face. But it turns out that those ideas aren’t actually born out by measurement, because when people pick their passwords, they don’t actually pick them randomly. And if you tell people, all right, we need you to put numbers in your passwords and they haven’t before, then they’re going to replace I’s with ones and E’s with threes. In fact, these rules frequently make us less secure, people pick less good passwords.”

Focus on length. NIST does advocate for longer passwords, noting that password length has been found to be a primary factor in characterizing password strength. Users should be encouraged to make their passwords as lengthy as they want, within reason. Furthermore, NIST also mentions the use of pass phrases (for example, MyfavoritecomiccharacterisCharlieBrown), which is a way to construct memorable and lengthy passwords .

Ditch the regular change. NIST doesn’t recommend that verifiers insist on periodic password changes, except in the event of a security compromise. Research has shown that this practice isn’t effective because users often make only a minor change when prompted to change their password. Doing away with periodic password changes would alleviate a burden from the IT department and a frustration source amongst users.

Security questions are not so secure. NIST recommends that verifiers do not use knowledge-based authentication (aka security questions) as a way to authenticate. This is because many of the answers can be discovered now via social media or can be determined by brute force by an attacker. As an example, former governor Sarah Palin’s email was accessed by using secret questions, including “where did you meet your spouse?”, along with date of birth and ZIP code – answers to which were easily available online.

If you do find yourself confronted with a security question, consider following the advice of  KrebsOnSecurity: it’s best not to answer these questions truthfully, but to input answers that only you will know and that can’t be found using social networking sites or other public data sources.

Password Managers Make Sense

Finally, don’t forget the value of password managers in generating, storing, and entering a secure password when you need one. There are instances when you can’t use a password manager (like unlocking your computer) but, when you can, using a password manager is a good solution.

For More Information:

NIST Special Publication 800-63B, Digital Identity Guidelines