I have lived long enough to go through several cycles of "bad" foods that are now deemed not to be so bad after all. In the 1980s, we were warned that eggs and butter were bad for your heart due to their level of cholesterol. Now, decades of nutritional studies have led to a change in dietary guidelines that take into account that eggs provide an excellent source of protein, healthy fats, and a number of vitamins and minerals. Similar reversals have been issued for potatoes, many dairy products, peanut butter, and raw nuts.
Much to my surprise, much of the old, conventional wisdom about passwords has been spun on its heels with proposed digital authentication guidelines from the United States National Institute for Standards and Technology (NIST) and an article from the Federal Trade Commission's (FTC) Chief Technologist Lorrie Cranor regarding mandatory password changes. Some of NIST's recommendations include the following:
- User-selected passwords should be a minimum of 8 characters and a maximum of 64 characters. Clearly size does matter as generally the longer the password, the more difficult it is to compromise
- A password should be allowed to contain all printable ASCII characters including spaces as well as emojis.
- Passwords should no longer require the user to follow specified character composition rules such as a combination of upper/lower case, numbers, and special characters.
- Passwords should be screened against a list of prohibited passwords—such as "password"—to reduce the choice of easily compromised selections.
- They should no longer support password hints as they often serve like a backdoor to guessing the password.
- They should no longer use a knowledge-based authentication methodology—for example, city where you were born—as data breaches and publicly obtainable information has made this form of authentication weak.
The FTC's Cranor argues in her post that forcing users to change passwords at a set interval often leads to the user selecting weak passwords, and the longstanding security practice of mandatory password changes needs to be revisited. Her position, which is backed by recent research studies, is consistent with but not as strong as NIST's draft guideline that says that users should not be forced to change passwords unless there has been some type of compromise such as phishing or a data breach. Cranor's post does not represent an official position of the FTC and recommends that an organization perform its own risk-benefit analysis of mandatory password expiration and examine other password security options.
So while I finish my breakfast of eggs, hash browns (smothered and covered, of course), and buttered toast washed down with a large glass of milk, I will continue to ponder these suggestions. I would be interested in your perspective so please feel free to share it with us through your comments.
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed