5 Password Protection Fallacies

5 Password Protection Fallacies

Cybersecurity Awareness Month Series [PART 1]: 5 Password Protection Fallacies 

Produced by David Ralstin, Chief Information Security Officer for Allied Solutions | October 7, 2020

The National Institute of Standards and Technology (NIST) has recently updated certain password guidelines that were previously thought to improve security.1 These new recommendations aim to reduce vulnerabilities that result from the enforcing of certain password requirements.

According to NIST, the following security protections are no longer considered necessary when establishing your employees’ or accountholders’ password requirements: 


Password Protection Fallacy #1: Require Special Characters in Passwords

NIST now suggests companies eliminate special character requirements, stating the following regarding the adverse effect these rules can have: “Users respond in very predictable ways to the requirements imposed by composition rules. For example, a user that might have chosen ‘password’ as their password would be relatively likely to choose ‘Password1’ if required to include an uppercase letter and a number, or ‘Password1!’ if a symbol is also required.”

NIST also now recommends allowing any character to be incorporated into passwords, versus eliminating the use of certain ones (e.g. spaces and dashes).


Password Protection Fallacy #2: Don’t Allow the Copying and Pasting of Passwords

According to the new guidelines, there is negligible risk in allowing pasting of characters into password login fields.


Password Protection Fallacy #3: Require that Passwords be Changed on a Regular Basis

According to NIST: “Users tend to choose weaker memorized secrets when they know that they will have to change them in the near future… They often select a secret that is similar to their old memorized secret by applying a set of common transformations such as increasing a number in the password. This practice provides a false sense of security if any of the previous secrets have been compromised since attackers can apply these same common transformations.”


Want to learn about other password protection best practices to enforce for your employees and accountholders? Click here to download “Risk Checklist: Password Security for Account Holders” 


Password Protection Fallacy #4: Put a Cap on the Number of Characters

NIST recommends that password fields now allow for at least 64 additional characters on top of the required eight, so that more might adopt the use of longer, more complex pass phrases, which can add an additional layer of security. 


Password Protection Fallacy #5: Substitute Passwords with Password-less Options

Even though password-less security features like biometric logins (e.g. face or thumbprint recognition) exist for many apps and devices, it is smart to still require passwords as an added layer of security. 

It is important to adopt the latest password and data protection recommendations to reduce fraud and security risks to your organization, employees, and consumers. Visit the “Allied Trust Center” to learn more about what we are doing to protect or clients, vendors, and employees.

Allied Trust Center

Click here to sign-up for our e-newsletters to stay informed on industry trends, insights, and resources. 


About Allied Solutions

Allied Solutions, LLC is one of the largest providers of insurance, lending, and marketing products to financial institutions in the US. Allied Solutions uses technology-based products and services customized to meet the needs of 4,000 clients, along with a portfolio of innovative products and services from a wide variety of providers. Allied Solutions maintains over 16 regional offices and service centers around the country and is a subsidiary of Securian Financial Group, Inc.

1 NIST Special Publication 800-63B


Content in the blog posts are the opinion and views of the writer, and don't necessarily reflect the opinions or views of Allied Solutions.

Most Recent