We Need to Talk About NIST’s Dropped Password Management Recommendations

Passwords and their protection are among the most fundamental, essential aspects of enterprise data security. They also make up the bane of most users’ relationships with their enterprise devices, resources and assets. It seems no matter how stringent or lax your password policy is, the directive will be met with dissension from a significant portion of your staff. It’s frustrating for everyone — the IT department, C-suite and employees.

Recently, the National Institute of Standards and Technology (NIST) reversed its stance on organizational password management requirements. The institute now recommends banishing forced periodic password changes and getting rid of complexity requirements.

The reasoning behind these changes is that users tend to recycle difficult-to-remember passwords on multiple domains and resources. If one network is compromised, that’s a potential risk for other domains.

Are password managers the answer? Sure, they help generate great, complex passwords and act as a vault for all of our credentials. But they still require a master password — a risk similar to using one set of credentials across platforms. So where do we go from here? Are password managers safe from compromise, or are we doomed to a future of continued password problems?

Read Forrester’s Now Tech Report on Authentication Management

Passwords: Can’t Live With ‘Em…

It’s clear that a winning formula for password management and policy isn’t one-size-fits-all. Based on my years of experience drafting and enforcing corporate password policies, most tactics fail to catch on.

Two of the best-known experts in the field — Kevin Mitnick, chief hacking officer for KnowBe4, and security pundit Frank Abagnale, made famous in the film “Catch Me If You Can” — have slightly differing opinions. But at the end of the day, their views generally echo each other.

Abagnale once told CRN that passwords themselves are “the root of all evil.” More recently, he told SecurityIntelligence that passwords “are for treehouses.”

“Many of the security issues we see today stem from passwords,” Abagnale said. “This is a 1964 technology, developed when I was 16 and still being used in 2018 — and I’m 70 years old.”

…Can’t Live Without ‘Em

Mitnick and Abagnale foresee a world in which passwords are no longer part of the security equation. But until that happens, we need to work with them. Mitnick recommended implementing simple, but long passphrases of 25 characters or more, such as “I love it when my cat purrs me to sleep.” But this is only the first step.

“The 25-character password is for the initial login to the user workstation; then you should have another 25-character password for the password,” he said. “The user only has to remember two pass-sentences, and the manager will take those credentials.”

The next step for those responsible for creating and enforcing security policy is to decide how often users must change their passwords. Mitnick recommended at least every quarter, but that depends on the type of company and its risk tolerance. Government and financial institutions, for instance, may want to enforce changes every 60 days.

How to Master the Fine Art of Multifactor Authentication

Both experts advise businesses to incorporate multifactor authentication (MFA) in their login policies. MFA requires users to present at least two credentials to authenticate: something they know (like a password), something they have (like a token) and possibly something they are (like a fingerprint or facial scan).

“I believe that this is the best of both worlds, where the CISO sleeps better at night knowing there is nothing static in the login process, and users are elated to login without passwords,” Abagnale said.

“MFA should be used wherever possible for any type of external access like VPN, Outlook Web Access or Citrix,” Mitnick added. He also warned that if you’re going to use two-factor authentication (2FA), you should implement the First IDentity Online (FIDO) Alliance’s Universal Second Factor (U2F) protocol because it can prevent a type of attack in which a user’s session key can be stolen with a phishing email.

Are Password Managers Safe?

The use of password managers is where the experts disagree. While Abagnale is doubtful about their effectiveness, Mitnick believes password managers are necessary and helpful.

“It is still so important to choose a pass-sentence [for the password manager], and to the best of your ability don’t get malware on your machine,” Mitnick said. “If you get malware on your machine with keylogger ability, it won’t matter if you have a password manager or not.”

For Abagnale, password managers are a great way to mask the issue: addressing the password problem by storing passwords.

“Some of the passwords vaults have been breached already, which emphasizes my former point about why passwords are bad for our security,” he said. “I think that we should move beyond static passwords, and not succumb to password vaults as our solution. It makes me nervous to store all my passwords in one place, and protect that with…a password.”

Never Could Say Goodbye

Finally, both Mitnick and Abagnale are bullish on companies like Trusona, a forward-thinking security business that hopes to crack the code on a password-less internet by focusing on the user experience. Trusona offers a range of MFA processes that don’t require a password. Abagnale is an adviser for the firm.

“Passwords will be here for a while,” said Mitnick. “The challenge companies like Trusona have is early adoption. It’s all about the market. Even though you have a technology out there, it doesn’t matter if nobody’s adopting it.”

According to Abagnale, that day may come in three to five years.

“The technology is already here, and now needs to be implemented,” he said. “There is reason to think that passwords may remain in legacy systems for years to come, as the cost of ripping them out is too high. Nonetheless, password-less logins are the way of the future, and companies would adopt this method once they realize the benefits.”

But passwords aren’t going away anytime soon. We are seeing progress, however, toward a day when authentication is much more secure. Until then, we are stuck with them, and the enterprise must do all it can not only to move the revolution forward, but to ensure that security awareness lives in simpatico with password policy.

Read Forrester’s Now Tech Report on Authentication Management

Mark Stone is a Hubspot-certified content marketing writer specializing in technology, business, and entertainment. He...