‘Memorized Secrets’ and NIST’s Latest Password Security Suggestions(1)


PasswordsWith so many other competing priorities, password security may not be top-of-mind for many business leaders right now. But even a cursory check of recent data-breach reporting suggests that it very well should be. More than 80 percent of last year’s hack-related data breaches involved weak or stolen passwords last year.

For the annual ‘Worst Passwords of the Year’ report, the top five offenders were: 123456; Password; 12345678; qwerty; and 12345. Nearly one in five hacked users safeguarding their digital lives with ‘123456.’

NIST experts encourage administrators to:  

  • Clearly communicate memorized secret requirements to all employees, including how to create and change them
  • Allow users to make passphrases as long as they want
  • Avoid imposing composition rules
  • Require arbitrary, periodic changes unless users ask or there’s evidence of compromise
  • Provide clear, actionable feedback when users’ memorized secrets are rejected (e.g. it’s previously or commonly used, or blacklisted by the company)
The threat of user-caused breaches makes effective password security more crucial than ever, regardless of the strategy you use.