Most of us online have something in common, apart from having a Facebook account, that is. What makes us alike is the shared experience of managing passwords and all the inconveniences and annoyances that come along with it.
Fortunately, policy makers are starting to get that simplification doesn’t mean less secure. Recently the National Institute of Standards and Technology (NIST), the government group in charge of developing information security standards and guidelines, issued their “Digital Identity Guidelines”. The document features recommendations to government organizations on how to manage authentication and lifecycle management – including password management – These recommendations are often followed by both businesses and consumers.
The recommendations included decreasing both password complexity and the volume of forced password changes while checking passwords against regularly used credentials. At first I was surprised by the recommendations from NIST. Having worked in the security industry for 10 years, security policies created by the U.S. Federal Government have typically served to increase the complexity of the online experience. It seems like NIST has figured out that us humans – our habits and abilities – must be factored in to the security posture of a business.
Why NIST is Working to Make Things Easier
NIST’s recommendations come from a very sensible place. According to the report, “Users are seriously burdened with trying to remember multiple passwords and complex rules for password creation. In addition to having to change the passwords on a regular basis.”
As it turns out, managing a set of ever-changing passwords containing a series of letters, numbers and characters is not nearly as effective against getting hacked as you may think. As NIST themselves noted, “Even with all of these “safeguards” in place, it hasn’t stopped security breaches.”
The recommendations from NIST are on point because people will do as they will. NIST analyzed several breached password databases and determined that common rules around complex passwords are “not nearly as significant as initially thought.”
Good Recommendations Don’t Mean You Can Fall Back Upon Bad Password Habits
We still can’t ignore the facts. The NIST changes don’t give us permission to maintain poor password habits. For example, according to a January 2017 research study* published by the Pew Research Center, 84 percent of those surveyed keep track of their passwords by either writing them down on a piece of paper or memorizing them.
In fact, our own survey showed 61 percent of respondents use the same or similar password for online accounts.
Folks like you and me just want things to be simple and convenient. Our IT security teams want this too, but that is at odds with their mandates to lock down sensitive data as tightly as they can. IT pros and hackers alike know very well how people will take the path of least resistance.
While NIST works in the background on better policy, how can folks in both the public and private sectors simplify the complex relationships between people and their passwords?
For starters, a password manager like LastPass is a simple and very secure way to access all of your online accounts. All you have to do is memorize a single passphrase to serve as your master password, and that’s it (here are some of our tips on how to make a strong master password).
And if you are already using LastPass for storing and managing your passwords, be sure to take advantage of its ability to generate and store a complex password. This will meet NIST recommendations and industry best practices for using strong passwords unique to each account, while not needing to change them as frequently.
A password manager can remove end-user frustration while improving productivity, and IT teams can boost security through the elimination of poorly managed passwords in the workplace.
Check Off the Boxes With our Buyer’s Guide
We’ve recently published a Buyer’s Guide that helps businesses evaluate and compare password management solutions. This comprehensive guide will help you find a solution that is the best fit for your IT team and your entire organization.
* ”Americans and Cybersecurity” by the Pew Research Center (January 2017) polled 1,040 adults in Spring 2016.