Insights
J.S. Held Releases Insights on Risks & Opportunities Expected to Impact Organizations in 2025
Read MoreAh, the necessary evil of passwords.
Those of us who have worked in organizations that require users to change passwords at set intervals know what I mean.
Typically every three to six months, users are requested to perform a password change – maybe in the form of an annoying pop-up alert. In some setups, the user is locked out of the system until a new memorable password (but one that follows the complex password creation guidelines) is set.
A commenter on Slashdot said his previous organization demanded a password change every 45 days. Gulp.
Under that pressure, is it surprising that so many users forget their new passwords or resort to cobbling together poor passwords?
But, it’s no picnic for IT teams either. IT represents one of the most under-resourced, yet critical departments in many an organization. The 'regularly changing your password policy' demands that IT manage this whole process, including when users forget their ‘memorable’ passwords. It takes time, effort, and money to run this security policy.
And part of the reason regular password resets have been enforced is because organizations like the United States National Institute for Standards and Technology (NIST) have advocated this approach… until recently.
The NIST released a draft of its Digital Identity Guidelines: The Special Publication 800-63-3b. No longer does the NIST recommend forced password changes or additional complexities when asking users to select a password.
In fact, they seem to prefer the term 'Memorized Secrets' over passwords:
“A 'Memorized Secret' authenticator (commonly referred to as a password or, if numeric, a PIN) is a secret value that is intended to be chosen and memorable by the user. Memorized secrets need to be of sufficient complexity and secrecy that it would be impractical for an attacker to guess or otherwise discover the correct secret value.”
In fact, way back in 2009, the NIST admitted that enforced password changes were a source of frustration to the user.
According to the NIST guidelines, the new draft rules on password policies include the following:
For the IT security industry, this is a big deal, and a contentious one. Reputable experts around the world are split on this issue.
See what side of the fence you sit on:
Arguments for regularly changing your passwords:
Arguments against regularly changing your passwords:
Oh, and before you make your decision, check out the NIST list of mitigation tactics against authenticator threats. We find it quite comprehensive. New mitigation approaches and technologies – and indeed, new threats – have changed the threatscape. See section 8.2 of the Digital Identities draft.
The topic is certainly divisive, especially if you manage an IT environment that enforces regular password changes.
For those organizations that do consider moving away from the practice, below are some guidelines for migrating to the concept of memorized secrets.
We would like to thank Kevin Gorsline for providing insight and expertise that greatly assisted this research.
Kevin Gorsline is a Managing Director in J.S. Held's Global Investigations Practice who joined following J.S. Held's acquisition of TBG Security. For several years, Kevin served as the Chief Operating Officer and head of the Risk and Compliance practice at TBG Security, where he was responsible for providing the leadership, management, and vision necessary to ensure that the company had the proper operational controls, administrative and reporting procedures, and people systems in place to effectively grow the organization and to ensure financial strength and operating efficiency. His experience and leadership throughout his career have been focused on developing and delivering information security services and solutions, providing outstanding client service, and driving profitable revenue growth. Kevin brings established proficiency as an IT leader with extensive experience in risk and compliance services, applications development, and implementation projects both in the United States and abroad.
Kevin can be reached at [email protected] or +1 843 890 8596.
How data analytics, combined with other forensic accounting tools, can help investigators uncover Ponzi schemes and other frauds....
The consequences of greenhushing as they relate to litigation, reputational risks, and progress toward global sustainability goals....
This article examines how to limit the digital risk and liability while protecting data privacy and looks back at previous data privacy predictions....