Protect Your Assets: New Password Rules

Updated guidelines from the National Institute of Standards and Technology (NIST) make major changes to existing recommendations about user passwords. This is a must-read summary for real estate agents who have existing and potential clients logging into their system to browse homes, request viewings, or communicate about purchase status and other personal information.

For many real estate agents, client data is among the business’s most valuable assets. However, too many businesses leave it under-secured, and existing security policies could be making the situation worse.

New guidance from the National Institute of Standards and Technology (NIST), part of the U.S. Department of Commerce, has turned previous recommendations about digital identity and password protection on their head. Agents whose clients create private accounts should be aware of these changes so they can be sure security best practices are applied to the agency website.

Most surprising, perhaps, is that the revised rules place novel emphasis on password simplicity over complexity. This is because it’s become more evident that complex passwords aren’t necessarily any more secure.

It’s also important to check passwords against a blacklist of those most commonly used (such as “123456,” “password,” or “qwerty”) and block them from registration. Beyond that, though, NIST advises not implementing any other complexity requirements. It does, however, encourage limiting the number of allowed password entry attempts.

Perhaps the biggest change within the recommendations is the proposal to swap knowledge-based authentication for two-factor authentication (more on this below). There’s also additional guidance about the types of authentication factors that are acceptable, and the best ways to encrypt and safely store users’ passwords.

How Does this Guidance Affect Realtors®?

Although only federal agencies are regulated by NIST and obligated to comply with its new rules and recommendations, the institute’s advice has far wider applications. By making its guidelines publicly available, NIST has offered the opportunity for private-sector organizations to use the standards as a baseline for their own security policies and advanced digital security.

By adopting these measures, real estate agents aren’t just better protecting their clients’ online security. They’re also giving clients greater confidence in their ability to safeguard personal data and more reason to trust them – a powerful competitive advantage.

Following NIST’s steps to protect client data will help agents reduce the risk of reputation-damaging data breaches. What’s more, for agents who have European house hunters on their books, adhering to NIST recommendations gives them a head start on compliance with the EU’s forthcoming General Data Protection Regulation (GDPR). This is a new personal data protection regulation that becomes law in May 2018 and applies to all businesses offering goods or services to EU residents; heavy fines may be levied against noncompliant organizations.

Reasoning Behind the New Guidelines

For many years, increasing password complexity was seen as the best way to create stronger passwords. Part of the thinking behind the new NIST guidelines is that steps toward complexity have made things more complicated for users but have not resulted in increased security.

Complicated passwords are just as susceptible to commonly used attacks like phishing and keystroke logging. Also, users tend to respond to complexity cues — e.g., being told to add a digit — in predictable ways — like adding a 1. Creating complicated passwords makes them more difficult to memorize, too, which prompts users to write them down, establishing another point of vulnerability. Additionally, requiring users to change passwords regularly elicits a similarly foreseeable behavior. Many users simply tack on a digit or symbol to the end of their existing password.

How Can Passwords Be Made Stronger?

NIST says that password length matters more than complexity. While length has some of the same above-noted flaws as complexity, it’s more useful, especially when users can choose something longer but that’s still memorable to them. The new guidelines call for an 8-character minimum, but suggest allowing even up to 64 characters.

To create passwords of this length, users could make random combinations of words or, better still, use a password manager to generate them. To facilitate the use of these long, machine-generated passwords and password manager storage, NIST recommends that companies allow users to cut and paste passwords into login fields.

Essentially, the guidelines call for companies to make it as easy as possible for users. They also emphasize the company’s role in protecting users’ passwords. If a database breach should occur, it will have limited impact if passwords are securely encrypted. To this end, the guidelines lay out strong hashing and encryption standards.

Multi-Factor Authentication

The NIST guidelines further recommend shifting away from knowledge-factor authentication, which is simply demonstrating knowledge of one secret (such as a password). Instead, websites should adopt two-factor authentication before users can access personal data online.

This means that users should be able to verify at least two out of three identifiers: “something you know,” “something you have,” and “something you are.”

“Something you know” is usually covered by the password. “Something you have” typically refers to a device, like a mobile phone. “Something you are” is a bio-metric element, like a fingerprint reading or retinal scan. The “something you have” factor warrants further attention, as NIST has changed its recommendation.

It highlights the vulnerability of email as a source of verification, preferring Short Message Service (SMS) texting instead, though with caution. SMS is vulnerable to message forwarding or number porting, so NIST warns authenticators to be wary of behaviors that could indicate a compromised device. Nevertheless, SMS remains a more secure option than email in two-factor authentication.

Why Act Now?

Although real estate agents and brokers are not obliged to follow the NIST guidelines, their publication offers opportunities for agents to improve digital security on their websites. Implementing the new recommendations around passwords will benefit both internal users and clients.

The new guidelines also focus on making user login experiences less complicated, which is always a good thing. Enabling users to access online services more easily while simultaneously enhancing security is an all-around win.

Policies around the secure storage of passwords are also worth revisiting. It’s likely these can be updated in line with the NIST guidance, given the speed of change happening in encryption technologies.

Ultimately, working toward better securing clients’ personal data online can only be an improvement for all concerned. And it’s important to building trust and confidence, which is paramount in the real estate industry.