Latest NIST guidance no longer recommends password rotation, except in the instance of a suspected system compromise. Regularly forcing users to update passwords leads to more insecure storage mechanisms and passwords as users just recycle new versions of old passwords.
NIST guidance no longer recommends password rotation
What’s the reasoning? Quantum computing will make brute force hacks significantly easier with less time, and rotating passwords “resets” the clock on these attacks.
Regularly forcing users to update passwords leads to more insecure storage mechanisms and passwords as users just recycle new versions of old passwords.
Users not using best practice isn’t a good enough reason to not recommend best practice. A password manager can handle password changes with ease (no need to reuse a password or insecurely store them), and coupled with 2FA, it’s just a solid plan.
But I would still be curious to know why password rotation is not recommended.
Password rotation leads to password reuse. If you can remember or type your password, it could be stronger. Randomly generated long passwords, different for every account, should be the bare minimum these days.
The above has been my password advice for quite a while now. Please correct me if it’s no longer considered best practice or if I’m missing something important.
Randomly generated long passwords, different for every account, should be the bare minimum these days.
Randomly generated phrases with separators, punctuation, and numbers, appear to be the strongest (and easier to type out if you are reading it off a password manager not on the same device). Just a random generated string is actually quite easy for a computer script to brute force, but so much of a pain in the ass for the user! LOL
Length is usually better than complexity!
For example, Bitwarden’s password strength test tool says this password would only take 3 years to crack (using today’s technology): s#y7s8a63@22
While this one would take centuries: this-is-way-stronger
Which one you would want to enter into your TV set when you have to log into a streaming video service? 😂
Sure you can blame the user for their failure, but your systems will be less secure because of all your users who are not doing what they are supposed to. So then you have to decide, do we punish these users for their bad password practices or do we implement different practices that are more likely to be followed.
Something you know isn’t the best method to verify identity anyways; as evidenced, it is easy for someone else to learn that information. Using something the user possesses is a much better choice as the user is more likely to be aware of a loss of the object and report the security incident.
So then you have to decide, do we punish these users for their bad password practices or do we implement different practices that are more likely to be followed.
In most areas, I would agree that the latter would be the best approach, with nuance*
However, in the security space, I would argue that you should implement practices based on the threat model, and the importance of the data being protected.
Should a user be rotating passwords on a website they use to check the weather? Probably not.
For a banking site? I would, and enable 2FA if it already isn’t. 2FA, I would also argue, is more of a PITA for users than picking a strong password via their password manager.
We already see harmful example of suggestions being offered, not because the facts support it, but because “it’s easier for the user to follow”.
For instance, health authorities tell people to get 150 minutes of activity per week, despite the clear evidence that more than that would be better for optimal health.
Why do they do this? Because suggesting the true amount of exercise needed causes an aversion… the opposite effect.
So, I can see how we might ask users to only do the bare minimum, or else risk complete noncompliance with best practices. But the reality is, it only takes a very minimal amount of effort to secure our data, so we should encourage users to actually follow best practices (as it relates to their threat model).
“Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.”
Users tend to choose weaker memorized secrets when they know that they will have to change them in the near future. When those changes do occur, they often select a secret that is similar to their old memorized secret by applying a set of common transformations such as increasing a number in the password. This practice provides a false sense of security if any of the previous secrets has been compromised since attackers can apply these same common transformations. But if there is evidence that the memorized secret has been compromised, such as by a breach of the verifier’s hashed password database or observed fraudulent activity, subscribers should be required to change their memorized secrets. However, this event-based change should occur rarely, so that they are less motivated to choose a weak secret with the knowledge that it will only be used for a limited period of time.
When those changes do occur, they often select a secret that is similar to their old memorized secret by applying a set of common transformations such as increasing a number in the password.
Well, there’s the problem. Why are people using memorized passwords? And why are they picking passwords that could be easily guessed?
Literally, the only password that one should memorize is for their password manager that has strong 2FA enabled.
This recommendation seems to cater to users who already have poor security habits, rather than offering best practices. That’s my opinion, anyway.
Latest NIST guidance no longer recommends password rotation, except in the instance of a suspected system compromise. Regularly forcing users to update passwords leads to more insecure storage mechanisms and passwords as users just recycle new versions of old passwords.
What’s the reasoning? Quantum computing will make brute force hacks significantly easier with less time, and rotating passwords “resets” the clock on these attacks.
Users not using best practice isn’t a good enough reason to not recommend best practice. A password manager can handle password changes with ease (no need to reuse a password or insecurely store them), and coupled with 2FA, it’s just a solid plan.
But I would still be curious to know why password rotation is not recommended.
Password rotation leads to password reuse. If you can remember or type your password, it could be stronger. Randomly generated long passwords, different for every account, should be the bare minimum these days.
The above has been my password advice for quite a while now. Please correct me if it’s no longer considered best practice or if I’m missing something important.
That’s a user problem, though.
Randomly generated phrases with separators, punctuation, and numbers, appear to be the strongest (and easier to type out if you are reading it off a password manager not on the same device). Just a random generated string is actually quite easy for a computer script to brute force, but so much of a pain in the ass for the user! LOL
Length is usually better than complexity!
For example, Bitwarden’s password strength test tool says this password would only take 3 years to crack (using today’s technology): s#y7s8a63@22
While this one would take centuries: this-is-way-stronger
Which one you would want to enter into your TV set when you have to log into a streaming video service? 😂
Sure you can blame the user for their failure, but your systems will be less secure because of all your users who are not doing what they are supposed to. So then you have to decide, do we punish these users for their bad password practices or do we implement different practices that are more likely to be followed.
Something you know isn’t the best method to verify identity anyways; as evidenced, it is easy for someone else to learn that information. Using something the user possesses is a much better choice as the user is more likely to be aware of a loss of the object and report the security incident.
In most areas, I would agree that the latter would be the best approach, with nuance*
However, in the security space, I would argue that you should implement practices based on the threat model, and the importance of the data being protected.
Should a user be rotating passwords on a website they use to check the weather? Probably not.
For a banking site? I would, and enable 2FA if it already isn’t. 2FA, I would also argue, is more of a PITA for users than picking a strong password via their password manager.
For instance, health authorities tell people to get 150 minutes of activity per week, despite the clear evidence that more than that would be better for optimal health.
Why do they do this? Because suggesting the true amount of exercise needed causes an aversion… the opposite effect.
So, I can see how we might ask users to only do the bare minimum, or else risk complete noncompliance with best practices. But the reality is, it only takes a very minimal amount of effort to secure our data, so we should encourage users to actually follow best practices (as it relates to their threat model).
On mobile so forgive any formatting, but the text below is quoted from the NIST faq. https://pages.nist.gov/800-63-FAQ/#q-b03
Q-B05:
Is password expiration no longer recommended?
A-B05:
SP 800-63B Section 5.1.1.2 paragraph 9 states:
Users tend to choose weaker memorized secrets when they know that they will have to change them in the near future. When those changes do occur, they often select a secret that is similar to their old memorized secret by applying a set of common transformations such as increasing a number in the password. This practice provides a false sense of security if any of the previous secrets has been compromised since attackers can apply these same common transformations. But if there is evidence that the memorized secret has been compromised, such as by a breach of the verifier’s hashed password database or observed fraudulent activity, subscribers should be required to change their memorized secrets. However, this event-based change should occur rarely, so that they are less motivated to choose a weak secret with the knowledge that it will only be used for a limited period of time.
Well, there’s the problem. Why are people using memorized passwords? And why are they picking passwords that could be easily guessed?
Literally, the only password that one should memorize is for their password manager that has strong 2FA enabled.
This recommendation seems to cater to users who already have poor security habits, rather than offering best practices. That’s my opinion, anyway.
edit: spelling