In July of 2017, the National Institute of Standards and Technology (NIST) published a somewhat controversial update to its recommended password standards. The NIST is the US Federal agency that, among many things, researches and creates policies regarding Information Systems controls and standards. NIST policies serve as standards for many industry security controls and laws including FISMA, HIPAA, FINRA, PCI, SEC and SOX. So a change to accepted password security norms from the NIST is a pretty big deal and over time will cycle down into accepted security standards like COSO and ISO.
Since the document is 74 pages long, let's cut to the chase and take a look at three notable changes the NIST makes to current password security practices that caught my eye:
- End required password resets.
- Simplify password complexity requirements.
These two are significant changes to password security norms and are being met in the IT world with cringes and skepticism. But, the NIST does its homework and it is likely that with time, these will filter their way into IT organizations and authentication solutions.
End Required Password Resets
Users will LOVE this one. Being forced to change passwords every 30, 60, or 90 days creates significant discord in some organizations. The thought process behind the frequent forced password changes is that if a password becomes compromised the change can help prevent it from being used in an attack or to access sensitive data.
The NIST asserts that the password changes are ineffective because:
- Users change a letter, character, CAP, or add a single character to existing passwords to meet the spirit of the policy yet this is ineffective in enhancing security.
- Users use insecure methods to keep track of frequently changes passwords.
- Brute force password attacks are aware of password change tendencies and incorporate them into their attacks.
- Password changes do not help with one of the most common attack vectors, Phishing.
Simplify Password Complexity Requirements
Password complexity requirements make password changes and creation a pain. This is accepted pain in the name of security but the NIST asserts that like required password resets, this is an ineffective password security requirement. It is possible that the extra time and care it takes to create a unique password with CAPS, numbers, and special characters isn't so unpredictable after all. In fact, in SP 800-63b the NIST comments "Users’ password choices are very predictable, so attackers are likely to guess passwords that have been successful in the past".
NIST suggests softening password complexity because complex passwords often:
- Use predictable character substitutions.
- Are written down or stored in vulnerable ways.
- Are as easily phished as simple passwords.
Suggestions for Creating Strong Passwords
So a new password policy that implements the updated July 2017 NIST suggested guidelines would incorporate the following:
- Less frequent or no required password resets
- No password complexity requirements
- Minimum of 8 characters for passwords and 6 digits for PINs
- Two Factor Authentication (2FA) not to include email (NOTE: SMS/text authentication is not mentioned in the updated NIST at this time)
- No use of password hints
- Encrypted password storage
Now before you go banging on IT's bolted bunker door to change your password policies, let's pump the brakes a bit. The NIST standards are a guideline for many industries but it is important to wait for your industry compliance guidelines to incorporate these changes before axing your password complexity requirements or eliminating those forced password resets. But it is safe to say, as these new suggestions are further digested and begin to creep into organizations, a close eye will be kept on the frequency and attack vectors of security breaches and data loss.