Nonprofit Resources


Death of the Complex Password

Weak passwords are one of the top cybersecurity risks. For years, experts have advised using complex passwords that include numbers and special characters and have recommended changing them frequently.

However, new guidelines from the National Institute of Standards and Technology (NIST) have been making headlines. Here’s what you need to know.

Factors Behind the New Guidelines

NIST acknowledges that the intention of the previous standards — to create more secure passwords through criteria such as complexity — has been circumvented over time by several issues.

End users have difficulty remembering complex passwords, especially when they change frequently. As a result, many people use ineffective variations of common passwords (e.g., Password1!) or store passwords in unsafe ways, such as in a document on their computer or sticky notes on their desk.

At the same time, password-cracking software has become more sophisticated, and keylogger software and social engineering have emerged as effective means of compromising lengthy, complex passwords. Millions of compromised passwords are in circulation due to cyber breaches.

What the New Guidelines Recommend

The new NIST guidelines steer away from requiring complexity and frequent password changes. Instead, the focus is on layered security, which we have long advised.

NIST recommends:

  • Comparing passwords against a “blacklist” that rejects passwords:
    • Used in previous compromises
    • Based off dictionary words
    • Containing repetitive or sequential characters
    • Based off items such as user name, system name, etc.
  • No forced composition rules (like alphanumeric and special characters) or required arbitrary changes
  • Limiting the number of password attempts before a user is locked out
  • Multi-factor authentication

With these criteria, simple passwords still cannot be used, and the recommended minimum number of characters is still eight for user-chosen passwords or six for randomly generated passwords or PINs. While the recommendation is not to impose composition rules, alphanumeric or special characters may still be used in an effort to create a memorable password that is not a dictionary word.

Next Steps

It’s important to note that the new recommendations are extensive, and this is just a summary of one aspect of these recommendations. While it may seem that the new standards make passwords easier for end users, there is much more to the authentication process than passwords.

The standards reinforce layered security controls, which we already recommend. Many industry experts consider these “must have” additions to passwords for high-risk systems.

Most organizations use systems configured and managed by third parties, and it will likely take time to see industry-wide changes in response to these revised standards.

In the meantime, it’s vital to layer cybersecurity controls so that if one fails, others are in place to help protect your organization. Here are five steps you can take to strengthen your organization’s cybersecurity defenses.

If you have any questions, please contact us at [email protected].

Allison Davis Ward

Allison Davis Ward is a Partner at CapinTech. Throughout her time as an information systems auditor and senior manager, Allison has provided information security assessment and consulting services primarily for nonprofit organizations, financial institutions, and health facilities. In addition to these services, she has provided clients with consulting services in risk assessment and policy development engagements.

Leave a Comment