In a nutshell: Passwords remain central to IT security despite alternatives like passkeys. NIST recommends: no forced regular password changes, but immediate replacement upon compromise. Secure implementation requires TLS encryption, hashed storage, complexity checks, and brute-force protection.
Passwords have been a cornerstone of IT security for decades, yet despite repeated calls for their abolition, they remain indispensable. As the ever-growing flood of password dumps and data breaches continues, a holistic approach to secure authentication is becoming inevitable.
The use of passwords has a long tradition in information technology. There is regular agreement that we should abandon them – yet this has not succeeded so far, although passkeys represent a promising approach. Therefore, we all maintain extensive collections of passwords. Large password dumps appear regularly on the internet, and reports of data breaches are mounting, with unclear circumstances about how the data leaked. Such incidents can affect any organization, so it makes sense to examine the subject of passwords thoroughly.
The NIST guideline SP800-63B deals with passwords in detail and contains remarkably progressive requirements: verifiers and credential service providers must not force users to change passwords regularly. However, they must enforce a change if there is evidence of compromise of the authentication credential.
Access controls can be divided into three categories: what you are (biometrics, voice, appearance), what you have (keys, tokens, mobile phones), and what you know (username and password, PIN).
A password query is straightforward to implement – the entered password is compared with the stored value. However, several security aspects should be considered: transmitting passwords in plaintext is dangerous and requires Transport Layer Security (TLS). On the server side, passwords should not be stored in plaintext but only as salted hashes. Simple passwords can be cracked through trial and error – therefore, minimum length requirements and checking against databases of known passwords are sensible. On the server side, password guessing should be detected and prevented without blocking legitimate users. Random usernames would be ideal; in practice, however, email addresses are usually used, which reduces security.
Source: www.cert.at