The New Thinking on Password Security Might Surprise You

It’s the end of password complexity as we know it.

After years of urging companies to enforce frequent password resets and require employees to use complicated keywords containing letters, numbers, and symbols, the NIST (National Institute of Standards and Technology) issued some surprising new guidance — because, it turns out, none of that old stuff works.

The recently updated NIST recommendations call for passwords to be between 15 and 64 characters long and suggests companies use random password generators and password managers to keep codes safe.

The future of IT and security is autonomous. But most organizations don’t know which manual processes are easy to eliminate. This is where you start.

The new guidance surprised parts of the industry, although NIST members had been moving in this direction for a few years. In fact, Bill Burr, a mid-level manager who authored the 2003 NIST paper advising people to use complex passwords, has acknowledged the advice was incorrect. “Much of what I did I now regret,” Burr, now retired, told The Wall Street Journal in 2017.

Roger Grimes, a renowned authentication expert with KnowBe4, says that, even as companies have adhered to guidance on complexity, there hasn’t been much – if any – evidence that crafting passwords in any particular way can make them unhackable.

“Hackers today can break even 18-character complex passwords if they’re not truly random,” he explains. “Complexity creates the illusion of security, but in practice, it often leads to predictable patterns or even reused passwords across sites.”

The view seems to be at the core NIST’s new guidance, which suggests simple, 19-character passphrases like “OfficeLunchOrder2024” would be more secure than more complex, 10-character passwords like “P@ssw0rd1!” because they take longer to crack using brute-force methods.

[Read also: Bill Gates has known this simple truth for a while now – the future is passwordless]

“Highly complex passwords introduce a new potential vulnerability: They are less likely to be memorable and more likely to be written down or stored electronically in an unsafe manner,” the NIST proposal states.

Stop forcing password changes

One of NIST’s more eye-opening new recommendations is that organizations stop requiring regular password changes. For years, many IT teams have enforced 60- or 90-day rotations, believing it would minimize the threat of password theft.

Highly complex passwords introduce a new potential vulnerability: They are less likely to be memorable and more likely to be written down or stored electronically in an unsafe manner.

However, in shifting its recommendation, NIST acknowledged that frequent password changes can create more complications than they cure. Time-strapped and impatient users regularly update their passwords by plugging in newer versions that repeat old, weak, and easily discovered patterns – like changing Summer2024 to Fall2024.

Remarkably, NIST goes a step further, saying organizations don’t have to require password resets until there’s been a breach. NIST argues this will reduce the cognitive load on employees and allows IT to focus on genuine security threats instead of arbitrary password resets. And both go a long way to enhancing the overall employee experience.

[Read also: Rethinking employee engagement strategies for the modern workforce]

Grimes believes that advice goes too far because it ignores the fact that password weaknesses, themselves, can lead to breaches.

“Most people don’t know their passwords have been compromised,” he says. “If you tell people ‘Don’t change your passwords,’ and they don’t change them over years, one or more password patterns will end up on these password dump lists and put the organization at risk.”

Multifactor authentication: the key to a secure enterprise?

In addition to amending its password guidelines, NIST underscored the importance of multifactor authentication (MFA) for enterprise security. Unfortunately, while nearly 97% of large organizations enforce password policies, only 38% use MFA enterprise-wide, according to a recent KnowBe4 survey.

Most people don’t know their passwords have been compromised. [Their] password patterns end up on these password dump lists and put the organization at risk.

That exposes a gap, to be sure. However, that gap might still exist for companies using MFA because, unbeknownst to them, most are using outdated approaches like SMS – and hackers have been targeting those systems with increasing success. One technique they’re using is MFA fatigue, where users become overwhelmed by repeated MFA prompts, leading them to approve fraudulent requests out of frustration or habit. Hacking poorly secured companies providing MFA services to businesses is another. Earlier this year, for instance, a vendor handling Cisco’s MFA was compromised through a social engineering attack.

Andrew Shikiar, CEO of the FIDO Alliance, a global industry consortia dedicated to eliminating the world’s reliance on passwords, says that something better is here: passkeys based on the organization’s FIDO2 framework.

Passkeys rely on cryptographic key pairs rather than shared secrets like passwords, where a user (hopefully) knows and inputs a code that can also be found on some organization’s server. This makes them far more resistant to brute force and social engineering attacks like those used to overwhelm older MFA approaches.

[Read also: What is social engineering in cybersecurity – a comprehensive guide]

Passkeys are almost impossible to phish because they use public and private key pairs where all authentication happens through an encrypted dialogue between the keys, preventing attackers from tricking users into revealing sensitive information. This dialogue only happens after the user verifies themselves locally to their device – which is typically done using the same simple action they use to unlock that device – such as using a phone’s biometric (such as FaceID) or PIN code.

What NIST’s guidance means for passwords, passkeys – and your organization

Will passkeys finally end passwords?

We’re seeing growing enterprise interest in passkeys because they provide a stronger defense against today’s most common attack vectors – phishing and credential stuffing.

Even Shikiar, one of their loudest proponents, admits passwords are so ingrained in businesses that they’ll be difficult to purge. Still, he notes the password-less FIDO framework is gaining momentum with backing from significant platform providers like Apple, Google, and Microsoft. More than 20% of the world’s top websites now support passkeys, he adds, and millions of Amazon and Bank of America customers are already logging on with them.

“We’re seeing growing enterprise interest in passkeys because they provide a stronger defense against today’s most common attack vectors—phishing and credential stuffing,” he says.

[Read also: CISO success story – how LA County trains (and retrains) workers to fight phishing]

NIST’s guidelines are just that: guidelines. IT organizations can take or leave them. Grimes notes that many organizations weren’t following the earlier guidelines in the first place. Nevertheless, experts recommend companies at least consider the new recommendations along with a few best practices for reducing risk and improving your security posture, including:

1. Emphasize password length over complexity

Require passwords or passphrases that are easier for employees to remember – but 18 characters or longer. The goal is to move away from “P@ssw0rd!” and toward something like “ProjectKiteboard2025.”

2. Limit forced password changes

Unless there’s been a specific incident or breach, there’s no need to force employees to change their passwords as frequently as they have been. Grimes says that, even with NIST’s suggestion, it isn’t necessary unless there’s been a breach, and it would be wise to mandate password changes about once a year.

3. Require MFA wherever possible

Enable and enforce MFA as widely as possible, especially for sensitive accounts or critical business systems. Change Healthcare, one of the world’s largest health payment processing companies, learned that lesson the hard way. Earlier this year, the UnitedHealth unit, which handles 15 billion medical claims each year, was knocked offline because it wasn’t using MFA. It’s estimated a third of Americans had their sensitive information leaked to the dark web as a result.

4. Provide password managers to employees

Shikiar notes every password is potentially phishable. Every password is hackable. “So, if you’re still relying on passwords, it’s better to have them protected by a password manager,” he says. They’re not infallible. They, too, can be hacked. However, by generating and using random passwords that are unique for every site and service, they can help reduce phishing threats.

“If you can’t use phishing-resistant MFA use MFA; If you can’t use MFA, use a password manager,” says Grimes. “If most people did that, they’d be far better off. If you’re not using a password manager, you might be putting your company at risk.”

[Read also: Here’s how employees unwittingly put your org at risk – just by being a little curious about AI tools]

Organizations that embrace these changes will reduce their attack surface and simplify security for their teams. To coin a phrase, “Passwords are the cockroaches of the internet—they’re hard to kill.” But with tools like unphishable MFA, passkeys, and password managers IT organizations can finally secure them in ways that don’t annoy users and exhaust their own staffs.