Information Security

Defending the digital infrastructure

WavebreakmediaMicro - Fotolia

What new NIST password recommendations should enterprises adopt?

NIST is coming up with new password recommendations for the U.S. government. Expert Michael Cobb covers the most important changes that enterprises should note.

The National Institute for Standards and Technology, or NIST, is creating new guidelines for password policies,...

which will be adopted by the U.S. government. The Digital Authentication Guideline is up for public preview on GitHub and NIST's website. What are some of the significant changes in NIST's recommendations? Should enterprises consider adopting these password recommendations?

Many enterprises and online services are looking to replace the much maligned password. Several financial service companies, for example, are rolling out biometric authentication options for their customers, and Google offers the option of two-factor authentication, where a verification code is sent to a user's mobile phone.

However, there's still no universally accepted alternative to the password. So, despite its weaknesses, both in terms of security and practical use, many systems rely on it -- even if only as a fail-safe for when a user's fingerprint or voice can't be correctly identified. Since passwords are here to stay for a while longer, it's refreshing to see research by NIST looking at how to make password authentication more robust and more user-friendly.

NIST has been studying how passwords are created and used, in order to produce more effective password recommendations and policies. Special Publication 800-63-3: Digital Authentication Guidelines is still a work in progress -- the latest version is available on GitHub -- but it already proposes some significant changes to what has been long accepted as best practices; as it turns out, some of them don't actually improve security.

The overriding principle behind the NIST password recommendations is to make password policies user-friendly, as arduous password rules end up being circumvented or ignored by users and support desks, negating any possible security benefits. Many users also reuse passwords between sites, so a user's eight-character-long, complex work password can be vulnerable if it's used in their online banking and social media account logins, as well.

It's not surprising one of NIST's first password recommendations is PINs should be six digits long and passwords should be a minimum of eight characters, with a maximum length of 64 for more sensitive accounts. Remembering a password longer than eight characters is not necessarily easy, but NIST's new guidelines allow the use of all printable ASCII characters, as well as all UNICODE characters, including emoji, to improve usability and increase variety. Combine this with the recommendation that users should be encouraged to create longer phrases instead of hard-to-remember passwords, or passwords based on character swaps, such as "pA55w0rd" -- which may appear complex, but, in fact, are not -- and it opens the way for long, complex and easy-to-remember passwords.

Also, passwords should no longer be automatically expired after a certain period unless there's a good reason, such as they have been forgotten, or there's suspicion they have been phished or stolen and could therefore be subjected to an offline brute-force attack. This would mean there has to be some form of monitoring in place to detect potential compromises. LinkedIn didn't know their password database had been compromised for years and, thus, had no reason to force users to change their passwords. But had users been made to change their passwords every few months, the database of passwords from 2012 would be useless to attackers.

There is also advice on how to store users' passwords safely. All passwords must be hashed, salted and stretched when stored. This will dramatically reduce the ability of hackers to cost-effectively crack passwords either in bulk or individually. Systems also need to check new passwords against a dictionary of known bad choices. Administrators need to ensure this dictionary matches its users most likely choices, which depending on location and industry, may not necessarily exactly match the world's 100 most likely passwords; having 100,000 such entries is suggested as a good starting point.

While these guidelines may seem long overdue, the recommendation to do away with knowledge-based authentication (KBA), password hints and SMS codes is more contentious. KBA and password hints greatly reduce the number of costly and time-consuming password resets, but provide little additional security, as was shown in Adobe's 2013 password breach and the fact that answers to KBAs are too easy to find on the internet. Also, NIST concludes that one-time passwords sent via SMS are too vulnerable due to mobile phone number portability, attacks like the SS7 hack against the mobile phone network and malware that can redirect text messages.

Any security control needs to continually evolve and adapt to how it is actually used in real life in order to withstand changing attack techniques and the constant rise of computing power. NIST's goal is to improve how users create and systems store passwords, reducing unneeded complexity wherever possible. SP 800-63-3 will become compulsory for the whole of the U.S. government.

Enterprises should look at following these guidelines where practical, as they will be quickly considered best practice in the court of public opinion. Password length and complexity requirements can usually be changed relatively easily in most programs or through group policy, but changes such as eliminating SMS in two-factor authentication schemes won't be cheap or straightforward. Administrators will also need to implement an alternative account recovery process if they choose to abandon hints and KBA. There's no obvious substitute other than a password-reset email, which, if not implemented correctly, can also be insecure. It will be interesting to see what the final password recommendations are.

Article 3 of 6

Next Steps

Find out how to ensure stronger passwords are being used in your enterprise

Learn how Microsoft's Smart Password Lockout feature bans weak passwords

Discover the differences between asymmetric and symmetric encryption algorithms

This was last published in January 2017

Dig Deeper on Identity and access management

Get More Information Security

Access to all of our back issues View All