New Password Rules from NIST

As things stand, passwords are still the cornerstone of user security. But, with so many passwords to think up and remember for the websites and online applications we use, it’s small wonder that most of us struggle to follow security experts’ password advice and get tempted to use weaker passwords. Add to this, the fact that the computing power available for password cracking just gets bigger and bigger and it easy to see the emerging problem.
So that’s the bad news, but is there a silver lining? Well maybe. Perhaps it doesn’t need to be as hard as we make it and NIST is trying to help. The United States National Institute for Standards and Technology (NIST) has formed new guidelines for password policies, which are used by the whole of the US government (the public sector). These guidelines can also be used by any organisation for its own user policies and application developers.

Things You Should do According to NIST’s Password Guidelines?

1. Favour the User

Make password policies user friendly and put the burden on the verifier when possible and stop asking users to do things that aren’t actually improving security. Many, so-called, “best practices” it turns out, don’t help enough to be worth the hassle they cause the user.

2. Size Matters

When it comes to passwords, that is. NIST’s new guidelines say you should have a minimum of 8 characters. This can be increased for more sensitive accounts. You should also allow a maximum length of at least 64, which would put many on-line service and cloud providers’ current policies to shame. Considering the fact that passwords must be hashed and salted when stored (which converts them to a fixed-length representation) there shouldn’t be unnecessary restrictions on length.

2. Allow Special Characters

Applications should allow all printable ASCII characters, including spaces, in passwords and should also accept all UNICODE characters. As consultants, we often advise people to use passphrases, so they should be allowed to use all common punctuation characters and any language to improve usability and increase variety.

3. Check for Common Bad Choices

Check new passwords against a dictionary of known “bad choices”. You don’t want to let people use 12345678, password1, ManUnited (this one is especially important!) etc. More research needs to be done into how to choose your “banned list,” but Jim Fenton at the PasswordsCon event in July suggested that 100,000 entries is a good starting point.

Things You Should NOT do According to NIST’s Password Guidelines?

1. Don’t Enforce Composition Rules

This means, don’t have rules that force users to use a particular characters or combinations, like those restrictive conditions on some password reset pages that demand your password must contain one lowercase letter, one uppercase letter, one number, four symbols but not &%#@ etc. Allow users to choose freely, and encourage longer, easily remembered, pass-phrases rather than of hard-to-remember passwords.

2. No Password Hints

If you want people have a better chance of guessing your password, just write it on a post-it note and stick it on your screen. People really do set password hints like, rhymes with massword, if you force them to think up hints.

3. Knowledge Based Authentication is Out

Stop using knowledge-based authentication (KBA). An example of KBA is when you are asked to pick from a list of questions like, where did you attend high school? Or, what is your favourite football team? And then provide an answer that can be used to prove it’s you.

4. No More Expiration Without Reason

Users will love this. If you want users to comply and choose long, hard-to-guess passwords, you shouldn’t make them change those passwords unnecessarily. The only time passwords should be reset is when they have been forgotten, if they have been phished, or if you think that your password database has been stolen and could, therefore, be subjected to an offline brute-force attack.

NIST Also Provides More Advice for Developers

Passwords should be hashed, salted and stretched. You need a salt of 32 bits or more, a keyed HMAC hash using SHA-1, SHA-2 or SHA-3, and the “stretching” algorithm PBKDF2 with at least 10,000 iterations.
NIST advises that SMS should no longer be used in two-factor authentication (2FA). This is potentially big change as SMS is one of the main methods for delivering 2FA. It seems there are a number of problems with the security of SMS, including malware that can redirect SMS messages, attacks against the mobile phone network (such as the so-called SS7 hack) and the ease of gaining access to replacement SIMs.

The Way Forward

NIST’s goal is to get us to protect ourselves in the most effective way without unnecessary complexity, because complexity, when it is a burden on users, works against security. Password policies will need to evolve as we learn more about how people use and abuse them. Unfortunately, there have been more than enough breaches for us to see the impacts of certain types of policy, such as the Adobe’s 2013 hack which revealed the danger of password hints.

If your company is affected by any of the points raised in this article, please feel free to get in touch with KRYPSYS to see how we can help.