NIST Challenges the Traditional Password Policies
Originally published in 2017 (NIST Special Publication 800-63B), the NIST (National Institute of Standards and Technology) guidelines were last updated on March 2,2020.
NIST Password Guidelines apply to federal agencies; however, following the published general password guideline provides a foundation for any organization. Not only does the guide focus on the properties of a password, but it also offers further in-depth details with an additional focus on behavior. Passwords that comply with NIST password guidelines will be tough to crack and easy to use.
Read on to learn more about NIST password guidelines and why NIST standards are key to protecting your confidential data, keeping communications secure, and preventing cyber-attacks.
Length
NIST guidelines call for an eight-characters minimum length password.
Password length is a primary factor characterized as password strength. Passwords that are too short can be compromised with a brute force attack and dictionary attack using words and commonly chosen passwords.
- Encourage the user to make their passwords as long as possible, within reason. The size of a hashed password is independent of its length, so there is no reason not to allow the use of lengthy passwords (or passphrases) if the user wishes.
- Set the maximum password length to 64 characters.
Complexity
As an attempt to increase the difficulty of guessing passwords, complexity is one of the typical methods used during the composition of a password. The introduction of unique characters and numbers creates a false positive mentally for users.
Research has shown that people respond in predictable ways to meet the requirements during the password composition. An example is a user that may have used "muppets" as their password. The user is likely to choose "Muppets1" if they are required to include an uppercase letter and a number. Additionally, if the user must also add a symbol, the user may use "Muppets1#".
Additionally, when the rejection of a password occurs based on complex requirements, especially with online services, many users introduce a frustrating response and input something unsecured and straightforward. The length of a password has been proven to provide a higher level of protection.
To assist password complexity, we suggest allowing copy and paste functions within password fields to reduce mistakes and the time required for multi-factor authentication, which may be leveraged within a password manager.
As explained in Appendix A: “Analyses of breached password databases reveal that the benefit of such rules is not nearly as significant as initially thought, although the impact on usability and memorability is severe.”
Resets
NIST guidelines state that periodic password-change requirements should be removed.
Most Organizations require their users to reset their passwords every few months. Requiring your users to update passwords makes it less likely to predict or crack.
However, frequent password changes can make security worse. People who update their passwords tend to make simple changes to old passwords. Most people merely change one character and either ad a number or a letter to an existing password.
Password Manager(s)
Most Organizations strive for a secure environment; one way to ensure we meet all requirements is to take some of the human error away. Providing a company-owned password manager can assist with human error and deliver an auto-generation of a password based on standard methods.
We suggest allowing copy and paste functions within password fields to reduce mistakes and the time required for multi-factor authentication, which may be leveraged within a password manager.
Lock After Multiple Attempts
NIST guidelines state no more than 100 attempts on an incorrect input of a password.
Locking a user out of password-protected applications based on the number of incorrect passwords in succession should be considered a best practice.
While NIST provides the guideline of no more than 100 attempts for an incorrect password, best practice suggested attempts should be no more than five attempts. Most applications have a limit far lower than 100 attempts and more than five attempts as a baseline before the user is allowed to re-attempt an additional sign-on again.
Two-Factor Authentication
Two-factor authentication (2FA) is referred to as two-step verification or dual-factor authentication. Two-factor authentication is a security process where users provide two different authentication factors to verify themselves. These factors are typically email, text, SMS, fingerprint, face scan, etc.
When available or as a third-party application, two-factor authentication implementation is considered best practice in this digital era in which we live today.
NIST provides suggested guidelines around the use of two-factor authentication and biometrics.
Monitor Passwords
The current recommendation is to screen your passwords against any commonly used password lists. Some passwords are in a compromised state before they are even created. Ensuring passwords within a widely used password list can prevent the use of sequential strings like “123456” and common words like “password.”
As mentioned above, using a password manager or a service that can check the strength of a password provides an additional layer of security to ensure passwords are difficult to guess.
NIST password guidelines are updated regularly and evolve with our ever-changing cyber landscape. Adopting the NIST password standards means that password security will no longer be a weak link for your organization.
