Do Your Passwords Meet the Proposed New Federal Guidelines? - WSJ

Federal agencies must follow these guidelines, including contractors that have access to secure federal information systems, and many state and local governments typically adopt them as well, according to Andrew Regenscheid, manager of the institute’s cryptographic-technology group. The standards are also voluntarily followed by many major companies, particularly those in regulated sectors like healthcare and finance.

The goal is to make passwords more user-friendly without compromising security. Research has shown that strict rules on passwords can often backfire, as people develop predictable patterns to meet the requirements. When required to change a password and add a special character, people go from “12345” to “12345!” When forced to use a capital letter, people typically put it at the start of the password.

“That just doesn’t provide much in the way of security, because password-cracking tools will know to try the capital letter first,” Regenscheid says.

The new guidelines recommend use of stronger authentication technologies that can resist phishing attacks, such as passkeys, which allow you to log in without passwords, typically just using your fingerprint or your face. The institute also suggests that websites add block lists of compromised and commonly used passwords that will prevent users from choosing vulnerable options. And companies are now required to let users employ password managers, a move that was previously only recommended by NIST.

Whether users are using password managers or creating their own passwords, the institute wants systems to allow users to move beyond exclamation points and dollar signs. The guidelines recommend accepting all standard keyboard characters, including spaces, brackets, quotation marks and even characters like emojis.

“The intent was that service providers should allow those different special characters for users to use if they want to,” Regenscheid says. “But ultimately not require it.”

Long and random

Still, adding more special characters might help less than expected at making passwords stronger, says Michelle Mazurek, director of the Maryland Cybersecurity Center, who worked on research that informed the NIST guidelines. While having more character options theoretically increases the possible combinations for passwords, that math works only if people choose randomly, which people are notoriously bad at doing. Even with access to more special characters, people tend to follow predictable patterns—and once new special characters get added, patterns will emerge there too. 

“If we start letting people use emojis, is everybody just going to stick a poop emoji at the end?” she says.

The key to password security, the standards institute emphasizes, is length rather than special characters. The guidelines recommend passwords be at least eight characters long while suggesting organizations push for a minimum of 15 characters. The shorter minimum is acceptable when combined with multifactor authentication, Regenscheid says, which most federal websites now require when accessing personal information. That means having two different ways to confirm identity, not just the password itself.

The institute also suggested a maximum length of at least 64 characters, a number Regenscheid calls “fairly arbitrary” but sufficient for security needs. Systems need some upper limit to prevent malicious users from trying to overwhelm servers with extremely long passwords, he says, and do things like download sensitive data from databases. 

The emphasis on length over complexity reflects decades of research showing longer passwords are significantly harder to crack. “A truly randomly chosen 24-character password is not going to be broken,” says Stuart Schechter, an associate at Harvard’s School of Engineering and Applied Sciences. “That’s long enough that it’s not likely to be broken in the lifespan of the universe.”

When it comes to creating long, strong passwords, research shows that both random strings of characters and random sequences of words can work well. “People’s brains work differently, and our tech should be designed to help you achieve your desired level of security with the option that works best for you,” Schechter says. His research found most people can memorize either type effectively.

But it is a time-consuming process, and it isn’t clear how many passwords people can remember, Schechter says, so he uses the password manager built into his browser, an option available in browsers like Safari and Chrome. While some security experts push for stand-alone password managers that must be purchased separately, Schechter argues that built-in browser options are a good solution for most people’s needs and are very secure.

No more ‘12345678’

The guidelines also seek to get rid of common password security practices that research has shown to be ineffective or counterproductive. For one thing, organizations should no longer force periodic password changes or allow users to store password hints. Instead, the institute recommends implementing “block lists” of compromised and commonly used passwords to prevent users from choosing vulnerable options. The block lists should include common variations of the company name, mascot and other organization-specific terms. Some systems also check for and prohibit the use of personal information like phone numbers, birthdays or usernames in passwords.

But even sophisticated blocking tools have limitations. “There’s some debate as to how big a block list you should have,” says Lorrie Cranor, director of the CyLab Security and Privacy Institute at Carnegie Mellon University, who also worked on research that informed the proposed guidelines. While some tools can catch dictionary words or common number patterns like phone numbers, users might still find ways to create predictable patterns. To make matters worse, she notes, people widely reuse the same password across multiple accounts.

Meanwhile, there is the challenge of undoing decades of security practices that actually made passwords more vulnerable. Companies and government agencies created policies they thought would increase security—like forcing regular password changes—without realizing they were encouraging behaviors that made systems less secure. For instance, the more often somebody has to change a password, the more likely they will choose a simple sequence that is easily cracked.

Doubling up on security

For the first time, the institute has included formal standards around an alternative: passkeys, which use biometric data like fingerprints or facial recognition to unlock cryptographic keys stored on devices. According to recent research by the Identity Theft Resource Center, nearly a third of polled consumers have adopted passkeys since they became widely available last year.

The appeal is clear: Passkeys are particularly effective against phishing attacks because, unlike passwords, they never leave your device. When you use your fingerprint or face to log in, you’re just unlocking a cryptographic key that then securely communicates with the website.

“You can’t self compromise and you can’t steal the password at the organization because the information is never stored,” says James E. Lee, chief operating officer of the Identity Theft Resource Center, a nonprofit that helps victims of identity theft.

When the guidelines become completed, Lee says, most publicly traded companies will update their password practices, a process that could take months or even years. But even with these improved policies and new technologies, vulnerabilities remain: If people get access to your phone and it isn’t properly secured, they could potentially replace your biometric data with theirs. “There is always going to be a risk,” Lee says. “Every technology has its risk today.”

Jackie Snow is a writer in Los Angeles. She can be reached at reports@wsj.com.