Operating within the U.S. Department of Commerce, The National Institute of Standards and Technology (NIST) develops Federal Information Processing Standards with which federal agencies must comply. Although NIST’s rules are not mandatory for nongovernmental organizations, they often become the base for best practice recommendations throughout the security industry and integrated into other standards.
NIST Special Publication 800-63A was published in 2003. The password primer recommended using a combination of numbers, obscure characters, capital letters and to change them regularly. In a recent interview with The Wall Street Journal, the author of the primer, Bill Burr, stated: “Much of what I did I now regret.” Why does he regret it? The advice ended up largely incorrect and had a negative impact on usability for the end user, including password fatigue. Cybercriminals have stolen and posted hundreds of millions of passwords online since 2003. The boom in data breaches has provided the NIST and other researchers with the necessary data to look at how our passwords stand up to the tools hackers use to break them.
A 2010 study conducted at Florida State University found that when required to create or update a password, the majority of users simply capitalize a letter in their password and add a “1” or “!”, making the password no harder to crack. When numbers were required in a password, 70% of users simply added the numbers before or after their password. These types of patterns are well known to hackers and they adjust their tools accordingly. (Interesting tidbit: Cartoonist Randall Munroe calculated it would take 550 years to crack the password “correct horse battery staple” all run together as one word versus a password like “Tr0ub4dor&3” which can be cracked in 3 days.)
The average number of services registered to a single email account is more than 40, but the average number of different passwords for these accounts is 5. Over one-third of people forget their passwords weekly, requiring them to be reset - toss in length minimums, character requirements, mandatory password resets every 90-days and it becomes clear why we often reuse passwords, cobble one together by making minor changes to our current one or resort to writing passwords down on a sticky note.
Memorized Secrets and other NIST Digital Identity Guidelines
Special Publication 800-63B shows the shift in strategy regarding passwords and use policies, specifically advising to abandon outdated complex password rules in favor of user friendliness. The document also includes a new moniker for the term password - Memorized Secrets defined as: “A Memorized Secret authenticator (commonly referred to as a password or, if numeric, a PIN) is a secret value that is intended to be chosen and memorable by the user. Memorized secrets need to be of sufficient complexity and secrecy that it would be impractical for an attacker to guess or otherwise discover the correct secret value.”
The updated best practices for creating, changing or updating memorized secrets include:
- Allow at least 64 characters in length to support the use of passphrases, copy and paste. Encourage users to make memorized secrets as lengthy as they want, using any characters they like (inducing spaces), thus aiding memorization.
- Do not require memorized secrets be changed arbitrarily (e.g., periodically) unless there is a user request or evidence of compromise.
- Do not impose other composition rules (e.g. mixtures of different character types) on memorized secrets.
Rather than doing away with password restrictions entirely, The NIST guidelines recommend shifting to 3 password limitations that are actually worthwhile:
- Forbid commonly used passwords: The standards require every new password be checked against a “blacklist” that can include repetitive words, sequential strings, variations on the website name and passwords taken in prior security breaches. (haveibeenpwned.com has expanded their offering to include a pwned password section for users to check if a password has been exposed in a data breach)
- Don’t use knowledge-based authentication or password hints: Allowing a user to answer a personal question such as “What is high school did you attend” to reset passwords is now forbidden, as the answers to these questions and hints can be easily found via social media or social engineering.
- Limit the number of password attempts: There is a large difference between the number of guesses even the most typo-prone user needs and the number of guesses an attacker needs.
Other items addressed by the NIST include new password encryption standards and multi-factor authentication for any service that involves sensitive information. The full publication can be viewed on the NIST website.
We’re glad to see the standard updated to make it easier for users to create stronger passwords and we know at least a few of you will be happy not hearing from us every 90 days telling you that it’s time to change your password.