Authentication Nation: 5 Ways NIST is Changing How We Think About Passwords
Passwords have taken a beating over the past several years, and there seems to be little question among leading practitioners that the antiquated method of authentication needs a hefty remodel. To give an idea of scale, we assessed the biggest 1,000 organizations in world and found that, across over 30,000 different breaches, 97% of these organizations had leaked corporate emails online. This should serve as a cautionary tale for all organizations to carefully examine their own password management practices. Following Microsoft’s updated password recommendations, the US National Institute for Standards and Technology (NIST) has recently come out with its own updated password guidelines.
When two major security industry influencers come to such similar conclusions, it’s a strong signal that companies should take a hard look at their password policies – both for their internal systems and their externally-facing services that have an identity store.
Many of the NIST guidelines are recommendations only, but a number of them are requirements that all federal government agencies must follow. That’s a broad reach of influence – but it’s even wider than that, because many corporate security professionals use them as base standards and best practices when forming policies for their companies in the private sector. Here is a quick overview of main changes the NIST has proposed:
- Minimum password length of 8 characters, with a maximum of no less than 64. The focus here is to fortify the system so it can manage the storage of these longer and more complex passwords, thus the burden lies with the verifier easing password fatigue on users and simplifying processes.
- All ASCII and UNICODE characters should be allowed. Remembering a password longer than eight characters is not necessarily easy, but NIST's new guidelines allow the use of all printable ASCII characters, as well as all UNICODE characters (including emojis!) to improve usability and increase variety.
- Remove knowledge-based authentication and no more password hints. NIST is rejecting knowledge-based authentication (KBA) that can be discovered, or brute forced, by an attacker. In other words, the typical "first pet" or "mother's maiden name" password prompt is a thing of the past.
- Stop practice of regular password expiration. If we want users to comply and choose long, hard-to-guess passwords, we shouldn’t make them change those passwords unnecessarily. The only time passwords should be reset is when they are forgotten, if they have been phished, or if you think (or know) that your password database has been stolen and could therefore be subjected to an offline brute-force attack.
- Check against a list of “known-bad” passwords. NIST's experts say a mix of character types in passwords (such as at least one digit, uppercase letter and symbol) "is not nearly as significant as initially thought, although the impact on usability and memorability is severe."Instead, NIST recommends that user-chosen passwords be compared against a list of unacceptable passwords. That list should include passwords from previous breaches, dictionary words and specific words (such as the name of the service itself) that users are likely to choose.
Many enterprises and online services are looking to replace the much-scorned password. Several financial service companies, for example, are rolling out biometric authentication options for their customers, as well as a myriad of two-factor authentication options. However, there's still no universally accepted alternative to the password. So, despite its weaknesses, both in terms of security and practical use, many systems rely on it, and since passwords are here to stay for a while longer, it's refreshing to see research by NIST looking at how to make password authentication more robust and more user-friendly.
Although the NIST Digital Authentication Guideline governs Federal sites, its tenets are good standards for any site or system with authentication requirements. Overall, the new guidelines put the user experience at the forefront while also establishing robust efforts into system fortification and authentication methods. Credentials are incredibly valuable to attackers, who use them for a range of activities, including post-breach extortion, phishing and account takeovers. As organizations begin to better understand the implications of breaches, NIST is a great resource for guidance on passwords.