Hands typing on laptop with security symbol on screen

The National Institute of Standards and Technology (NIST) is a government agency tasked with creating cybersecurity standards and best practices for both the Federal Government and for the private sector alike.

The organization’s guidelines are the basis for many regulatory standards around the world but are also relevant to organizations in non-regulated industries since NIST guidelines are based on established best practices.

Although most organizations are not required by law to comply with NIST standards, it is usually in an organization’s best interest to follow NIST’s cybersecurity standards since doing so can help an organization to be better protected against cyber-attack.

This is especially true for NIST’s password guidelines. Even if an organization has already brought its password policy in line with NIST’s recommendations, it is a good idea to periodically revisit those recommendations since they do change over time.

The password update problem

Perhaps the best example of this is the fact that for decades best practices stated that users should be required to change their passwords on a periodic basis. Somewhat ironically however, requiring frequent password changes can lead to users choosing weaker passwords.

The problem is that over time, organizations have required users to use increasingly complex passwords. While long and complex passwords are difficult for an attacker to crack, they are also difficult for a legitimate user to remember.

When users are forced to not only use such passwords, but also to frequently change them, users will inevitably resort to doing things that makes their password less secure. This might include writing their password down or creating new passwords that are simply variations of previous passwords.

Cracking passwords with transformations

A study by the University of North Carolina at Chapel Hill confirms why this behavior is so dangerous. For the study, researchers were provided with 10,000 accounts belonging to former students and staff members.

The former owners of these accounts had been required to change their password every three months. Researchers were given a minimum of four of the previous passwords associated with each account and asked to try to figure out the current password based on previous passwords.

Rather than attempting to crack passwords using brute force, the researchers tried to guess passwords based on the use of transformations. Transformation examples might include incrementing a digit at the end of a password, transposing two characters, or replacing a character with a similar looking symbol (such as replacing S with $).

Ultimately, the researchers were able to figure out user’s current password based on previous passwords for 17% of the accounts.

This experiment underscores the dangers of routine, forced password changes. It also demonstrates why password recommendations must evolve over time if they are to remain effective.

Not surprisingly, NIST no longer recommends scheduled password changes. Instead, the NIST password guidelines essentially state that organizations should screen passwords against a list of passwords that are known to be compromised. If a password has not been compromised, then there is no reason to change it.

Keeping your IT security fresh

Being that the NIST guidelines do periodically change, organizations must consider how they can best stay up to date with the latest best practices. One of the easiest ways for an organization to bring its password policy in line with the NIST guidelines is to adopt Specops Password Policy. Specops Password Policy contains a feature that allows an organization to compare its existing password policy to the NIST guidelines, as well as to other regulatory standards such as SANS and PCI.

It is worth noting that Specops Password Policy does more than just show organizations what they need to do in order to make their password policy NIST compliant. It also gives organizations the tools to do so. Consider for example, the NIST requirement for comparing user passwords against a list of passwords that are known to be compromised.

The Windows Server operating system does not natively offer the ability to compare user passwords against such a list. Specops however, maintains a list of billions of passwords that are known to have been compromised and makes it possible for organizations to automatically compare user’s passwords against the list. You can test out Specops Password Policy for free in your Active Directory anytime.

Sponsored and written by Specops.

Related Articles:

Passwords are Costing Your Organization Money - How to Minimize Those Costs

How to Protect Your Employees from Identity-Based Attacks

Reusing passwords: The hidden cost of convenience

Train in IT risk management with $120 off a NIST training course

Decade-old Linux ‘wall’ bug helps make fake SUDO prompts, steal passwords