The most recent National Institute of Standards and Technology (NIST) guidelines have been updated for passwords in section 800-63B. The document no longer recommends combinations of capital letters, lower case letters, numbers and special characters. Yet most companies and systems still mandate these complexity requirements for passwords. What gives?

There’s a bit of an arms race between NIST and compliance regulations. SOX, SOC2, PCI, etc, all have some password complexity commentary. These have been influenced by NIST in the past, and systems have been updated to require combinations of letters, numbers and symbols so that companies who need to attain these compliance certifications can require their users to implement them.

Cybersecurity Live - Boston

Legacy and Technical Password Limitations

On top of regulations, there are the technical system requirements for passwords. Some have password encryption but no enforcement of character complexity. Some have fine tuning so that the administrator can identify exactly what special characters / letter cases / number combinations are required. And still others were created in the days when storage was at a premium, leading them to still only use the first 8 characters of what you type in as your password anyway. It all depends on what the leading school of thought was when the tool was created and to what compliance regulations the tool manufacturer thought might be needed.

The scope of which tools fall under which compliance framework is different for every company. Two companies may be using the same tool, such as Salesforce, but depending on how they use it and who has access, one might fall under SOX and the other not.

Over the last decade, the various changes in NIST – the addition of numbers, the assignment of acceptable symbols, and the suggestion of the ideal number of characters – have become (Read more...)