The National Institute of Standards and Technology (NIST) recently updated its password guidelines, removing mandatory complexity requirements. Security experts have welcomed this change, which is aimed at improving security and usability. However, adopting the NIST password guidelines in defense IT environments will likely take too long, leaving our organizations more vulnerable than necessary. Many defense IT teams operate within a culture that prioritizes outdated policies and enables shadow IT, making it difficult for new approaches to take root. The industry must embrace a culture of agility and rapid technology adoption for real security advancement.
The New NIST Password Guidelines
The new guidelines from NIST are simple to implement and have been considered “best practice” by leaders in the industry for years.
- Verifiers and CSPs SHALL require passwords to be a minimum of eight characters in length and SHOULD require passwords to be a minimum of 15 characters in length.
- Verifiers and CSPs SHOULD permit a maximum password length of at least 64 characters.
- Verifiers and CSPs SHOULD accept all printing ASCII [RFC20] characters and the space character in passwords.
- Verifiers and CSPs SHOULD accept Unicode [ISO/ISC 10646] characters in passwords. Each Unicode code point SHALL be counted as a single character when evaluating password length.
- Verifiers and CSPs SHALL NOT impose other composition rules (e.g., requiring mixtures of different character types) for passwords.
- Verifiers and CSPs SHALL NOT require users to change passwords periodically. However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
- Verifiers and CSPs SHALL NOT permit the subscriber to store a hint that is accessible to an unauthenticated claimant.
- Verifiers and CSPs SHALL NOT prompt subscribers to use knowledge-based authentication (KBA) (e.g., “What was the name of your first pet?”) or security questions when choosing passwords.
- Verifiers SHALL verify the entire submitted password (i.e., not truncate it).
- Verifiers SHALL allow the use of password managers.
The Challenges of Cultural Adoption
Adopting new security guidelines is often hindered by entrenched practices and resistance to change. In defense IT, this problem is amplified due to the prevalence of shadow IT—unapproved and non-compliant systems set up to bypass restrictive policies. Shadow IT grows from frustration with cumbersome processes that lag behind emerging threats. (A root cause of a lack of flexible infrastructure within DoD IT environments often drives this.) While NIST’s guidelines offer a path forward, cultural inertia within defense operations could significantly slow down adoption.
Shadow IT: A Symptom of Cultural Stagnation
Shadow IT typically reflects a deeper problem: a culture that values rigid compliance over effective enablement. This disconnects operations and security teams as personnel seek shortcuts to remain productive. Instead of enforcing stricter controls, defense IT should aim to modernize policies that enable teams to stay agile and compliant. Organizations can address root issues and reduce non-compliance by understanding why employees turn to shadow IT.
Policies and Culture: The Need for a Paradigm Shift
Traditional IT policies are ingrained in the culture of many defense organizations. These policies often stem from a time when being compliant meant being secure. However, sticking to outdated rules without adapting can increase vulnerabilities as the threat landscape evolves. A shift in mindset is needed—from seeing policies as unchangeable to viewing them as dynamic tools that must evolve with threats.
NIST Password Guidelines: A Case for Modern Enablement
NIST’s recent update eliminates mandatory password changes and complex character requirements, opting for guidelines prioritizing usability and overall security. This should be viewed as an opportunity for defense IT to break away from a “checkbox compliance” culture and embrace one emphasizing efficiency and resilience. Operations teams should consider how this change can enable better workflows without compromising security.
Building a Culture of Agility
Defense IT must transition to a culture that values agility and rapid technology adoption to thrive. This doesn’t mean abandoning policies but redefining them to support new technologies and methods. Teams should focus on:
- Educating and Training: Educate employees on the benefits of adopting new security measures.
- Collaborative Policy Making: Involve end-users in policy discussions to build a shared sense of ownership.
- Creating Rapid Response Teams: Implement dedicated teams that can pilot and evaluate new technologies quickly.
- Encouraging Openness and Feedback: Foster an environment where employees feel comfortable voicing concerns about policies.
NIST Password Guidelines are A Step Forward for Security and Culture
While NIST’s guidelines are a step forward, the real battle is changing the entrenched culture of defense IT. Operations teams must pivot from a policy-centric mindset to one focused on enablement, innovation, and rapid adoption of new technologies. Only then can defense organizations remain agile enough to stay ahead of evolving threats.
FAQs
NIST has eliminated mandatory complexity and frequent password changes in favor of longer passphrases and monitoring for compromised credentials.
Shadow IT emerges when strict policies hinder productivity, leading personnel to create non-compliant solutions that bypass formal channels.
Defense IT needs to adopt a culture of agility, enabling teams to implement new technologies quickly without compromising compliance.
Adopting policies that prioritize security through usability, such as passphrase guidelines, rather than overly complex rules.
It refers to the practice of meeting security requirements only on paper without considering the real-world effectiveness of the measures.
Organizations should view policies as living documents, regularly updating them in response to evolving threats and end-user feedback.