Main menu

Passphrases: build a better foundation for secure password policy

multiple screenshots of login forms asking for username and password

Is your company still enforcing automatic password updates, and requiring special characters as a part of the password? According to the National Institute of Standards and Technology (NIST), a non-regulatory agency of the United States Department of Commerce providing security standards and guidelines for companies to meet the requirements of the Federal Information Security Management Act (FISMA), the practice of having a user create a random series of letters, numbers and special characters as a password, then changing it every 30 days, is an invitation to countless helpdesk calls for password resets. In addition, many frustrated users will doubtless end up writing down their passwords. 

The 2017 NIST recommendations:

  1. maintain that frequent password changes do little to improve security, often resulting in minimally edited old passwords that are easy to guess. 
  2. encourage the use of longer passwords and, even better, passphrases.

In a study from as far back as 2010, researchers from the University of North Carolina at Chapel Hill ascertained that if people have to change their passwords every 90 days, “they tend to use a pattern …they take their old passwords, they change it in some small way, and they come up with a new password." The researchers developed algorithms based on these patterns, which were able to predict password changes with great accuracy. 

A long passphrase (at least 14 characters long) is simply a phrase or sentence that you use instead of a word or set of characters, and is easier for you to remember than a random sequence of numbers, letters and special characters. Passphrases generally allow for spaces and punctuation, adding complexity.

Of course, you should always enable two-factor authentication for added security.

Unless a data breach occurs—in which case all passwords must be changed—the NIST requirements allow a user to keep their password for an indefinite amount of time. 

Although the latest NIST password guidelines were issued in June 2017, many companies continue to subscribe to the hackable 'set random password; wait; repeat' formula for employee passwords. Even if your company isn’t governed by NIST for password compliance, there’s no reason you can’t follow these guidelines and implement a great foundation for a secure password policy.