Cyber Matters: New Password Guidance Will Be Implemented Slowly


By Rob Sloan, cybersecurity research director, WSJ Pro

The National Institute of Standards and Technology recently updated its guidance on creating passwords, moving away from the advice that long, complex passwords, comprising upper and lower case letters, numbers and special characters, are the best way to secure data. While the new guidance was roundly welcomed, implementation is likely to be a slow process.

As the Wall Street Journal reported, in 2003, NIST midlevel manager Bill Burr wrote “NIST Special Publication 800-63. Appendix A.,” the influential document that came to define password policy for organizations around the world. Mr. Burr later concluded that much of the advice in the document was incorrect.

The new guidance seeks to end the frustration and annoyance users experience with the current rules. Out with complex passwords consisting of upper and lower case letter, numbers and special characters, in with longer, more memorable phrases. Key recommendations include passwords of up to 64 characters in length and to block known compromised passwords. Longer passwords are orders of magnitude harder to crack.

The finger of blame is often pointed at users for not creating strong enough passwords under the current guidance, but Jason Hoenich, founder & chief product officer of Los Angeles-based security awareness startup Habitu8 Inc., does not agree: “Humans are actually not the problem. End users have been telling us for years that our password policies are stupid and don’t work. NIST has finally decided to listen and adjust.”

“End users are like water, they’ll always find the leaking points.” said Mr. Hoenich, adding: “We can patch the process or the user. One fixes most issues, the other fixes a single issue–your call.”

Security awareness programs may have to adjust their message according to Mr. Hoenich. “Everyone hates passwords–this is a huge chance to tell a new story.” Mr. Hoenich previously ran cybersecurity awareness programs for both The Walt Disney Co. and Sony Pictures Entertainment and believes users will quickly adapt to the new guidance. “Humans are resilient. 98% of end users won’t care. They’ll just want to know what to do and see an example.” Habitu8’s awareness videos already align with the new guidance.

“It’s not difficult to explain to users” said Mr. Hoenich. “People like transparency. Be simple, direct, and to the point. “Hey, we’ve found a better way to do this and everyone agrees, and so we’re going to do the right thing–not the easy thing.”

Rush to Change Policies May Not Be Needed

So should businesses rush to change their policies? Not necessarily. While changes in the short term are unlikely, the updated guidance is a good excuse for organizations to start talking about authentication and whether solutions currently deployed are sufficiently user-friendly and effective.

The other aspect to consider is the world has changed a great deal since 2003 and organizations should at least consider implementing two-factor authentication, an extra layer of security that requires not only a password and username, but also a piece of information to which only the legitimate user has access.

Smartphones are ubiquitous, providing users with an avenue to get a security token via an app or SMS that adds a level of security without inconvenience. Biometrics may also be worth consideration with a host of new solutions hitting the market recently.

“Companies cannot move to this new guidance overnight” said Alexis Lavi, a senior advisor on cyber risk and strategy at cybersecurity services company, Fortalice Solutions. “However, it should be a topic of discussion at the next cybersecurity meeting and most definitely addressed during IT security policy reviews and updates.”

Switching to the latest NIST advice is not straightforward though: “In reality, resetting passwords across workstations and servers and changing authentication processes for external customers is a challenge” said Ms. Lavi.

Implementing changes puts a significant administrative burden on the IT department. The change management process and sign-off on policy changes from the legal department can also introduce complications and Ms. Lavi adds one more important factor: “Vendor product settings may inhibit an organization’s ability to make these changes.” That is to say some software will not allow the reduction in password complexity and increase in password length.

“Each organization will want to evaluate the cost/benefit trade-offs of moving to the new password guidance.” said Ms. Lavi. However, “for entities required to follow NIST, or those relying on NIST controls for their custom frameworks, the move may be speedier.”

(Rob Sloan is cybersecurity research director at WSJ Pro. Previously, Rob has worked as response director for a specialist IT security consultancy in London and built a team focused on detecting, investigating and protecting against cyber intrusions and responding to incidents, especially state-sponsored attacks. Rob started his career working for the U.K. government, looking at some of the earliest cyberattacks against the critical national infrastructure. Rob’s main interest is the requirements, motivations and technical capabilities of threat actors. For more information on the WSJ Pro Cybersecurity newsletter visit