The U.S. National Institute for Standards and Technology (NIST) is updating its guidance for password complexity, advising end users to choose longer pass phrases, rather than simply a mix of upper and lower case characters. According to a survey from security awareness vendor KnowBe4, many users are open to the idea of using a pass phrase approach advocated by NIST.
NIST Special Publication 800-63B titled, "Digital Identity Guidelines" states that password length has been found to be a primary factor in characterizing password strength.
"Passwords that are too short yield to brute force attacks as well as to dictionary attacks using words and commonly chosen passwords," NIST states. "Users should be encouraged to make their passwords as lengthy as they want, within reason."
"Since the size of a hashed password is independent of its length, there is no reason not to permit the use of lengthy passwords or pass phrases if the user wishes," the NIST guidance adds.
KnowBe4 surveyed 2,600 IT professionals about their views on passwords and the new NIST guidance. 44 percent of respondents indicated that in their view a 25-character pass phrase would work out as a viable option for their organization's password policy. 35 percent indicated that the 25-character pass phrase approach wouldn't work and nearly 21 percent were undecided.
KnowBe4 CEO Stu Sjouwerman told eWEEK that the 44 percent approval rating for the new NIST password guidance was much higher than he had anticipated. The survey also asked respondents if they felt their existing password policy is sufficient with 47 percent saying yes and 46 percent responding no (7 percent responded 'other').
"It's extremely hard to have humans remember things that are innately not part of our common language," Sjouwerman said. "Artificial passwords, salted with other characters, are at best a band-aid and need to be replaced with biometrics."
89 percent of the survey participants indicated that their organizations currently have an enforced password policy. The password policies in use include requiring both upper and lower case characters as well as numbers as part of a password. 51 percent or respondents said that their organizations required passwords to be changed once every 90 days.
The survey also asked about Multi-Factor Authentication (MFA) use and found that only 33 percent of respondents responded that their organizations use MFA to provide an additional layer of password security.
"MFA is very effective in preventing specific account takeover attacks, but more general phishing attacks like ransomware campaigns are, of course, not mitigated by MFA, Sjouwerman said.
In an effort to help users and organizations with password security, KnowBe4 released a free online tool that tests password strength on Windows systems.
"It's a combination of heuristics and a list of 11 million known weak passwords that each hash is compared to," Sjouwerman said. "Note that we do not list the actual passwords, we just indicate the risks."
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.