It's a common belief that you need passwords that are minimum length and have a mix of capital, lowercase letters, numbers and symbols (like: $jfhT3@1Rlf!) and reset them every 3-4 months in order to be in-step with security best practices.
But those best practices are actually outdated, and the author of those rules actually backtracked on those recommendations.
The United States National Institute for Standards and Technology (NIST) has since released new guidelines that actually state the opposite of those old rules.
Here are the new best practices as outlined by new research and guidelines from NIST itself.
Why the change of password recommendations?
The primary reasons the recommendations have changed are all related to one thing: humans.
This article by CSO goes into more detail, but basically research analyzing multiple large breaches revealed that the effectiveness of passwords created by old guidelines weren't effective.
In order to try and "remember" passwords for multiple portals, applications and software, the research revealed people would make predictable substitutions when creating passwords.
For example, switching "@" for "a" and "!" for "l".
This becomes more of an issue when you force users to change passwords every 3-4 months as it creates a need for users to use predictable substitutions they can remember.
Or worse yet, users will write down passwords on sticky notes.
In fact, NIST specifically states you SHOULD NOT impose passwords should be changed arbitrarily (e.g., periodically).
Thankfully, there's better ways to manage strong passwords that favor the user and is inline with NIST's new guidelines.
Escaping password hell: A better way to manage passwords
As the CSO article insightfully articulates - creating strong passwords is simply not a job for humans.
Instead randomly generated sequences of letters, numbers and symbols at least 8 characters long are the most effective.
But how do you manage random passwords?
By using Password Managers. In their new guidelines, NIST specifically encourages the use of password managers, which in many cases increases the likelihood that users will choose stronger passwords.
Is the use of password managers HIPAA compliant?
Yes! You won't be storing any PHI in a password manager, so you don't have to worry about compliance there. You also should conduct due diligence when choosing a password manager to make sure their storing your data securely.
But as part of your HIPAA compliance program, it's absolutely ok to use a password manager. HIPAA does not get into specifics with authentication and password management, but they often reference NIST guidelines and we now know where NIST stands.
Key takeaways on managing passwords
- Use a password manager. Require your team to start using one in order to enforce the rest of these rules.
- Require random passwords of at least 8 characters. Some password managers have a feature that will generate these passwords.
- Eliminate composition rules like "Your password must contain one lowercase letter, one number, a symbol, and your favorite color."
- No more expiration without reason. The best rule as recommended by NIST, get rid of periodic expirations. If you set a strong password once, there's no reason to change it unless it is compromised.