NIST’s New Password Rules: How Device42 Can Help

Why new requirements? Password management is already difficult!

The National Institute of Standards & Technology (NIST) has developed a new set of relevant, sensible guidelines for the US Government’s Public Sector, and the password policies are a great template for us all to use, both in the workplace and in our personal lives alike. The password rules are still being refined, and the evolution of that process is being tracked in NIST’s GitHub – They’ll also be posted on their website (nist.gov), but so far they are still “coming soon”, so in the meantime, stick to the GitHub link.

As they stand, here is the gist of some of NIST’s suggestions:

  1. Make passwords user friendly – stop enforcing bad, disproven “best practices”

  2. Minimum length of 8 characters — And no maximum. Longer minimums are just fine, too.

  3. Allow longer maximums; at least 64 characters, if not longer. – No more “your PW is too long” messages.

  4. Accept all printable characters (including spaces), languages, and all unicode characters, even emojis!

  5. Strong dictionary check for known bad passwords

  6. No complexity or composition rules (one uppercase, one lowercase, two symbols, not in a row, etc.) – These have been proven, time and time again, hard for people to remember and easy for computers to guess.

  7. No password hints; they just make guessing easier.

  8. No “answer these questions to prove it’s you” – They are too easy to look up, especially if you know a person well.

  9. No more expirations without merit – Unless a user specifically requests it, you’ve been breached, or there’s another really good reason to make users change their really well chosen, complicated passwords – just don’t do it.

  10. All stored PW’s must be stored salted, stretched, and hashed with a 32bit or longer salt, a keyed hash algorithm, and then run through PBKDF2 at least 10,000 times.

  11. No more SMS for 2FA – Two factor via SMS has been proven to be easily spoofed

These are big changes from the “standards” that we’ve all gotten used to, which have been enforced for the past twenty or so years. While they were somewhat adequate upon inception when computers had much less powerful cracking prowess and we had far fewer passwords to remember, these outdated standards need to go to keep both our personal and business identities safe in our online world.

Here’s the real problem — new requirements or old

People are generally pretty bad at coming up with secure passwords – and when we do come up with good ones, we tend to be horrible at remembering them. With more and more devices requiring passwords all the time, and the dangers of a password compromise higher every day as more of our lives move online, what is the answer?

Use the same, super secure password for everything? Write the passwords down in a book? Sticky notes under our keyboards (more keyboards than you’d think already have these!)? Give up entirely and accept the risk as part of life? None of these are REAL solutions to the very real problem of digital password management both personally and in the enterprise, and as more personal devices are more regularly used at work, the line between personal and enterprise passwords is blurred.

Ahead of the curve – Device42’s Enterprise Password Management

Device42 has powerful, secure, and flexible password generation and storage capabilities. Not only can it automatically generate secure passwords of specified lengths with variable makeups, but Device42 stores both passwords it generates and passwords you’ve created yourself securely encrypted, even when backed up. Furthermore, granular password-level access controls are enforced, allowing only specifically permitted users or groups to view and/or edit a password. A more complete list of Device42’s enterprise password management features and benefits is below:

Device42’s Enterprise Password Management Features & Benefits:

  • Auto-Generate Secure Passwords

  • AES 256-bit encryption

  • Custom PW Generation Settings

  • Granular permission control (per PW)

  • Fast, easy search features

  • PW’s stored and backed up encrypted

  • Securely copy PW’s w/o displaying them

  • PWs cannot be viewed in HTML source

  • Full, granular PW history & audit trail

  • Automatic logout on inactivity

  • Optionally, assign a PW to multiple devices

  • PW reporting for security & compliance assurance

Before NIST released its new recommendations, Device42 was already ahead of the curve, storing and generating passwords more securely than was required. Thanks to Device42’s flexibility, adapting the new requirements is as easy as adjusting your password generation settings, and storing your new, longer passwords as well. Device42 already accepts all unicode characters, spaces, and has extremely strong encryption, including in backups.

Best of all, Device42 makes using stronger passwords user friendly, with fast, easy search, granular permission controls, and the ability to securely copy passwords without even displaying them on screen. With Device42, you already have all the tools you need to adopt all of NIST’s new passwords requirements, keeping both your organizations, and optionally your personal online and offline identities safe and secure.

Are you a user of Device42’s Enterprise Password Management features? What do you think? Have you had to deal with password issues in your organization, and did you use Device42 to help solve them? We’d love to hear any stories you might have to share, questions you might have, and your comments, too! Feel free to leave them here, or to drop us an e-mail.

Stay safe out there,

-Device42