The National Institute of Standards and Technology on Wednesday published new guidance on how to strengthen passwords. Why now? Research shows that the de facto standard practice of requiring users to include a mix of uppercase and lowercase letters, numbers and at least one symbol, is more trouble than it’s worth.

“Analyses of breached password databases reveal that the benefit of such rules is not nearly as significant as initially thought,” NIST explained. “The impact on usability and memorability is severe.”

TAKE OUR POLL: Will your hospital update its policies?

Said impact is both the root of the problem and the reason NIST revised its guidance about the strength of passwords: Because complex and arbitrary phrases are difficult to remember many employees essentially circumvent IT’s requirements by picking passwords that are easy to guess. Password1!, for instance.

Today’s practice ultimately renders passwords that both frustrate users and are easier for attackers to figure out.

Within NIST’s draft Special Publication (SP) 800-53, Security and Privacy Controls for Information Systems and Organizations, is Appendix A — Strength of Memorized Secrets; that’s NIST’s phraseology for the dreaded password.

[Register Now: Upcoming HIMSS Healthcare Security Forum]

NIST suggests that IT encourage users to pick passwords that are as long as they want and allow them to include space characters because, even though spaces do not strengthen security, they enable users to opt for phrases. And those can be much simpler to remember than pesky forced letter-number mashups.

Other than to say that user-chosen memorized secrets should be 8 digits long, NIST does not lay down a magic formula because that can depend on specific threats you are guarding against. The appendix cited keystroke logging, phishing and social engineering as attacks that succeed regardless of password length.

All this doesn’t mean users should be free to pick whatever they want without some constraints either.

NIST also recommends that IT shops deploy blacklists of passwords employees are not permitted to use. Such lists should start with dictionary words, any passwords that have previously been breached, and the all-too-obvious. The local NFL team would be an example of the latter.

The appendix said that secure hashed storage and limiting the number of incorrect login attempts, along with blacklists, make it harder for hackers to break-in with brute-force attacks — but they do not make the whole process any more burdensome on your users.  

Twitter: SullyHIT
Email the writer: tom.sullivan@himssmedia.com

Like Healthcare IT News on Facebook and LinkedIn