The National Institute of Standards and Technology (NIST) provided updated guidelines for memorized secrets (passwords) in June, 2017. (special publication 800-63B)
The new guidelines include the following language:
“Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically).
However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.”
“Verifiers SHALL require subscriber-chosen memorized secrets to be at least 8 characters in length. Verifiers SHOULD permit subscriber-chosen memorized secrets at least 64 characters in length.”
“When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised. For example, the list MAY include, but is not limited to: Passwords obtained from previous breach corpuses, dictionary words, repetitive or sequential characters (e.g. ‘aaaaa’, ‘1234abcd’), or context-specific words, such as the name of the service, the username, and derivatives thereof.”
The account lookup code will be changed to bring WOU credentials in alignment with the new NIST standards.
Forcing users to change their password frequently could actually make systems less secure. In most cases, passwords are exploited immediately. It is typical for a user to use a weaker password if they are required to change it often.
A long password is stronger. A 6-character password can be cracked in 11 hours, while a 9-character password takes 10 years, based on using the ASCII character set. The new account lookup system will contain the ability to use UNICODE characters also, making a password virtually impossible to break in a lifetime.
Account lookup will be modified during January / February, bringing it in compliance with the current NIST guidelines.
February 5, Banner will be production in the cloud. Banner authentication will be via SSO, which aligns Banner access with the memorized secrets set with account lookup.