Face It, Password Policies and Managers Are Not Protecting Users

Passwords haven’t worked as a solid security strategy in a long time. The policies are there, so why are passwords security’s weak spot?

Sue Poremba, Contributing Writer

November 14, 2022

2 Min Read
Closeup of Password Box in Internet Browser
Artur Marciniec / Alamy Stock Photo

If you use a computer, you probably already know this: Passwords are failing at protecting users. 

“Passwords as a security strategy are dead,” said David Maynor, senior director of threat intelligence with Cybrary. 

Passwords haven’t worked as a solid security strategy in a long time. Stolen credentials have long been a favorite attack vector for cybercriminals — they can get a lot of mileage out of a single password. 

You don’t have to be a malicious actor to see how easy it is to use a password beyond its intended use. Even advice columnists are getting questions about password sharing and the ability to access multiple accounts without permission. 

The use of passwords, however, is not the problem. It is the lack of protection around passwords themselves that leave them vulnerable.

The National Institute of Standards and Technology (NIST) created standards for password policy. There are password managers that are supposed to break users of their worst habit—reusing passwords.

But passwords continue to be misused, stolen and abused. The policies are there, so why are passwords security’s weak spot?

The NIST Password Standard

NIST Special Publication 800-63B Digital Identity Guidelines offers best practices for password lifecycle management, as well policy standards for other authentication methods. The guidelines for password management are straightforward: 

Related:Open Source Software Security Begins to Mature

  • Check passwords against breached password lists

  • Block passwords contained in password dictionaries

  • Prevent the use of repetitive or incremental passwords

  • Disallow context-specific words as passwords

  • Increase the length of passwords

Updates to the NIST framework have gotten rid of two old methods of password management: no more requirements to change passwords on a regular basis, which some believe is counterproductive; and no more complex passwords that must include a mix of upper and lower case letters, numbers, and symbols. 

“The NIST password guidelines should be the baseline within the bigger picture of digital identities and authentication lifecycle management,” said Timothy Morris, chief security advisor at Tanium.

NIST frameworks serve as a baseline for overall cybersecurity systems for many organizations. The guidelines have been downloaded more than 1.7 million times and 16 sectors within the critical infrastructure rely on the framework.

Password Managers 

Not having to create new, unique passwords every 90 days is a relief, but the NIST guideline to prevent the use of repetitive passwords is still a burden. It’s impossible to remember dozens of different passwords, and users are often discouraged from writing down their passwords.

The solution for many is to use a password manager. 

“In a corporate environment, password managers not only enhance security but also optimize productivity,” said Teresa Rothaar, governance, risk, and compliance (GRC) analyst at Keeper Security.

Password managers allow IT administrators to control user password practices and enforce policies. 

“Meanwhile, help desk personnel aren’t bogged down with password-reset tickets, and employees aren’t stuck in holding patterns due to lost or forgotten passwords,” Rothaar said.

Read the complete article on our sister site Cybersecurity Dive.

About the Author(s)

Sue Poremba

Contributing Writer, Dark Reading

Sue Poremba is freelance writer based in central Pennsylvania. She's been writing about cybersecurity and technology trends since 2008.

Subscribe to the Data Center Knowledge Newsletter
Get analysis and expert insight on the latest in data center business and technology delivered to your inbox daily.

You May Also Like