🚨 Goodbye to password changes? Why BSI and NIST are only partially right! 🚨

Image generated by OpenAI's DALL·E

The current recommendations from BSI and NIST no longer recommend changing passwords regularly - a bold step that came as a surprise to some and a step that was long overdue for others. But are these guidelines really as secure as they seem? In this article, we will take a closer look at why these new approaches can be useful but also risky and give a false sense of security.

Are they the ultimate way to achieve password security or just a compromise? Let's critically question this together.

Spoiler ahead - even though some approaches make sense, I am critical of certain aspects of the BSI and NIST recommendations.

The development of password policies: A look at the previous recommendations from BSI and NIST

It was a common recommendation to establish regular password changes as an essential part of security policy. In earlier versions of Special Publication 800-63, NIST recommended regular password changes. This recommendation was based on the assumption that compromised passwords would offer less time to be exploited. The BSI also recommended in its IT-Grundschutz measure M 2.11 ("Regelung von Passwörtern“") that users should change their passwords regularly.

Below we compare the recommendations of the BSI and NIST:

If we take another blog post as a reference, how many characters are needed to have a secure password - 🔐 ❌ No more 8 characters: Passwords are changing and why 8 characters are no longer enough 🔐. It quickly becomes clear that I also consider these recommendations to be clearly outdated.

How NIST and BSI view password security today and why their recommendations have change

However, this approach has changed considerably in the current guidelines. In the updated version of "SP 800-63B" (2017), NIST has deleted the point about regular password changes and instead only recommends password changes in the event of a proven security incident. This change is based on the finding that frequent password changes lead to weaker passwords and potentially more security gaps. Instead, measures such as multi-factor authentication (MFA) and the avoidance of reused passwords are emphasized. The BSI has also made it clear in the IT-Grundschutz Compendium 2021 that regular, mandatory password changes should no longer be considered a necessary measure. Instead, the focus is on the use of password managers and strong, unique passphrases. Here, too, the focus is on password complexity and securing with additional protective measures such as MFA.

While the BSI has increased the character requirements to at least 12 characters, the NIST continues to stick with the more conservative 8 characters. This difference shows how differently the two institutions respond to the challenges of modern password security. The NIST focuses on user-friendliness and flexibility, while the BSI deliberately focuses on greater security through longer passwords or passphrases. The NIST's choice of only 8 characters carries a risk, as shorter passwords are easier to crack, while the BSI goes a step further with 12 characters to sustainably increase password security.

The change in password recommendations from NIST and BSI is based on in-depth insights into actual security practices and user behavior. Previously, it was believed that frequent password changes and complex rules such as the use of special characters, numbers, and upper and lower case letters increased security. However, studies such as those from Microsoft Research have shown that when password changes are forced, users often make only minimal changes - such as increasing a number at the end of the password - which is predictable and hardly improves security. These behaviors were a key factor in adapting the policies. It was shown that strict, regular password changes tend to reduce user experience without offering significant security benefits.

Technological advances have also contributed to the change. Multi-factor authentication (MFA) has been established as one of the most effective protection mechanisms in recent years. Reports such as the "Verizon Data Breach Investigations Report" show that MFA significantly reduces the risk of compromise, even if passwords are cracked or disclosed through leaks. Another key argument against the old guidelines is the avoidance of password reuse. Cybercriminals are increasingly relying on credential stuffing attacks, in which stolen passwords are systematically tried on other services. According to a study by Shape Security, around 80 to 90% of login attempts on large websites are accounted for by such attacks. The new recommendations, which focus on the uniqueness of passwords and the use of MFA, drastically minimize this risk, which meets modern password security requirements far better than old, rigid rules.

Both the NIST and the BSI go far beyond passwords in their current recommendations and emphasize the need to implement stronger, password-free authentication methods. In its "SP 800-63B", the NIST explicitly emphasizes the use of FIDO2 standards and password-free authentication mechanisms. FIDO2-based methods such as passkeys or biometric authentication (fingerprint, facial recognition) are seen as secure and user-friendly alternatives to passwords because they are resistant to phishing and credential stuffing attacks. The BSI also recommends the use of such technologies in its current guidelines. The BSI IT-Grundschutz Compendium points out that cryptographic methods such as those used in FIDO2 or smart cards significantly increase security while improving user-friendliness. Both institutions recognize that passwords are often the weakest link in the chain and aim in the long term to replace password-based systems with more secure alternatives.

Why not changing passwords regularly is not without risks:

A critical look at the recommendations of BSI and NIST

BSI and NIST are undoubtedly right to focus their recommendations on passwordless authentication methods such as FIDO2, passkeys and biometric methods. These technologies offer significant advantages over traditional passwords as they overcome the known weaknesses of password-based security. Phishing, credential stuffing and password interception through leaks are a thing of the past when using FIDO2. It is therefore clear that the future of secure authentication lies in these passwordless technologies, which are not only more secure but also more user-friendly.

However, the complete replacement of passwords with passwordless methods will not happen overnight. In the meantime, passwords remain a central component of cyber security in many areas. And this is precisely where the problem lies when BSI and NIST recommend not changing passwords regularly. As long as passwords still play a role, they continue to pose a risk - be it through weak, reused or stolen passwords.

Although the long-term focus is on passwordless methods, I think it is risky to forego best practices during the transition period without more secure alternatives being implemented across the board.

For a detailed look at passwordless technologies and their advantages, I also recommend my blog post ⚙️ Authentication Reinvented: Passwordless in the Digital Future 🌍, in which I discuss the importance and future of FIDO2 and similar approaches.

Are the new recommendations misleading in terms of security?

A key point that is not addressed sufficiently in the current recommendations from BSI and NIST is password reuse - that is, the reuse of passwords across different platforms. Studies show that between 60 and 65% of people use their passwords multiple times, often for business AND private accounts. This means that compromised passwords in one leak can easily be used on other platforms. A report from Shape Security estimates that around 80 to 90% of login attempts on major websites consist of credential stuffing attacks using passwords stolen from previous data leaks. These leaks, some of which are several years old, remain dangerous because many users never change their passwords - and that is precisely where the problem lies. Companies can only control the passwords of users in the business environment - private accounts and passwords remain undetected. A password leak in a private environment therefore remains undetected - but can have the same consequences as a password leak in a business environment.

Another serious problem is the sheer volume of passwords circulating in data leaks. One example is the infamous "Collection #1" which contained over 773 million email addresses and 21 million unique passwords. Much of this data comes from older leaks that are up to ten years old and continue to be used by criminals. It is estimated that on average, it takes companies over 200 days to discover a data leak - if at all - during which time stolen passwords can be abused on a large scale without being noticed. In addition, it is often difficult to identify a leak before an actual attack on the systems has taken place. This shows that passwords from leaks can remain actively in circulation for years without companies or users knowing about it.

Another point that is often overlooked in the discussion of password security is the fact that even minimally changed passwords, such as changing a single number, appear in data leaks as completely new hashes. When a password is published in a leak, it is often only available in hashed form - usually using algorithms such as SHA-256 or bcrypt. This hash is initially useless to attackers unless they have the computing power to crack it - or they use attack techniques where the hash is sufficient. Even if a user changes just one number at the end of their password, the system generates a completely new hash. This means that attackers must first crack this hash before they can detect that only a small change has been made.

An example:

• Password: Password123 

  → SHA-256-Hash: ef92b778ba9acb5f1c0f44c6c7c8e6f9e3a65ebd6e6d8bcb2c9e25c89e24f77a

• Password: Password124 

  → SHA-256 Hash: 26ab0db90d72e28ad0ba1e22ee510510787c72e8e25f955e1e6b8ed4961f7c9f

  
  

As you can see, changing just one number results in a completely new hash. It is true that simply changing a number does not make the password more secure in itself, since attackers can easily recognize patterns such as numerical sequences after cracking the hash. However, as long as the hash has not been decrypted, this pattern remains invisible. This means that the effort required by attackers in the first phase - cracking the hash - remains the same, regardless of whether a number has been changed or a completely new password has been used.

If a password is leaked in plain text, the attacker will of course immediately know this - so changing just one number does not make the password more secure per se. However, depending on the type of leak, it can still make an attack more difficult for the attacker.

Conclusion and personal recommendations: Why a balanced approach to password security remains crucial

FIDO2 and passwordless logins are undoubtedly the way forward for the future of cyber security. They offer strong protection against phishing, credential stuffing and other attacks that make traditional passwords vulnerable. But the reality is that many companies have not yet switched to these technologies across the board or even have them on the roadmap. Until they do, password-based authentication will continue to be the norm, and this is where my concerns about the current recommendations from BSI and NIST come into play.

Not changing passwords regularly, as both NIST and BSI suggest, runs the risk of increasing the attack surface - especially when you consider that NIST only requires 8 characters as a minimum length. In a world where passwords continue to appear in leaks and password reuse is widespread, I think it makes sense to adapt this policy. Password changes should not be as frequent as before, but intervals of around 180 days with an additional quality check - for example in Active Directory or Azure AD - would be useful. This check could ensure that new passwords are not too similar or identical to previous ones, which would significantly increase security. It would also make it easy to check for passwords from the dark web.

In this context, regular password changes would still make sense - not necessarily as often as previously recommended, but at specific intervals to reduce the attack surface. A set password change could help minimize the risk that old, leaked passwords continue to work. Even with classic multi-factor authentication (MFA), the risk remains that compromised passwords can be exploited in conjunction with social engineering or other attack methods. The challenge is to find the balance between usability and security. While the focus and future is on passwordless technologies, we should not ignore the current dangers posed by password-based authentication. A measured approach that ensures that passwords are renewed at regular intervals is and remains an important step to ensure security during the transition phase.

My biggest criticism of the recommendations from NIST and BSI is that they could lead to a false conclusion: Many companies see the lack of a requirement to change passwords as a free pass. This new guideline is being implemented without implementing the other comments and points made by BSI and NIST or without taking further steps to improve password security. This is dangerous because it delays the development of secure passwordless technologies and leads to existing vulnerabilities remaining unexploited.