What the Newly Drafted NIST Password Guidelines Mean to You

Passwords are security’s primary pain in the neck. They are a source of stress, strife, and sometimes humor. And the debate surrounding “best practices” about them may never fully end in our lifetime.

But as annoying (let’s be honest) as they can be, they are a necessary evil. For an example of how to do passwords right, turn to the United States National Institute for Standards and Technology (NIST). NIST is a non-regulatory agency of the United States Department of Commerce. They recently updated guidelines surrounding digital identity. It’s important to re-emphasize that these are only a draft; they are not absolute yet nor are they something that employees outside of the government need to obey. They do, however, serve as a baseline of how you can structure your password policy.

There are several nuggets of wisdom to be found in these guidelines that would translate well to most organizations. In this post, we’ll look at what these mean and how your organization can implement similar policies.

Dictionary Words and SMS Are Out!

The first major change emphasizes implementing policies that will lead to the elimination of easy-to-break passwords. We all know what those offenders – “Password,” “ABCDF,” the name of the local football team. Especially targeted by these guidelines are:

• Passwords obtained from previous breaches (no matter how complex they are – once these passwords are out there, they are out there)
• Dictionary words
• Repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’)
• Context specific words, such as the name of the service, the username, and derivatives thereof

When a user comes up with a password, it would be checked by a credential service provider (CSP) against a list containing the above (more stipulations could be possible as well, depending on organizational preferences). If the desired password matched any of the criteria, a user would not be forced to create a new one. (This tool can help your organization do exactly that).

SMS is also out as a form of single factor. SMS is not as secure as previously believed (you can read more about that here). Push authentications, though, are becoming more widely used – especially as part of multi-factor authentication (MFA).

MFA makes an appearance as a requirement for Authenticator Assurance Levels 2 and 3, meaning that higher assurance-level systems require better and more authenticators to meet the document requirements. What that means for private organizations is that more factors of authentication equal better security (duh).

Password Managers Are In!

Are the newly revised NIST guidelines reflective of greater changes in password security? Is this a watershed moment? Probably not, but it does represent a gradual shift in mindset.

Another takeaway for organizations from the guidelines is to remove arbitrary user rules. We all know these – “passwords must contain …” and then these rules proceed to list everything but the kitchen sink. As a result, users resort to poor passwords to cheat the system and simplify their lives. It’s a symptom of security fatigue.

(Pro tip: You can make lives easier for folks by insisting they use a password manager, which will help them craft better passwords and remove the burden to remember several different passwords by substituting it for a master password).

NIST recommends distancing from secret questions for password hints. Secret questions are common, and would probably be difficult for most organizations to completely remove. There are few viable alternatives for account recovery at the moment, most of them being more “old school” (such as a phone call containing a passcode). But it’s good to note that oftentimes in breaches, it’s not just passwords that are released into the wild; it’s secret questions associated with those accounts, too. And questions tend to overlap between various accounts. Furthermore, add in directories and social media to the mix, and odds are the answers to secret questions are not as secret as your users think.

The final way that these NIST guidelines can benefit your organization is in terms of budget. Using NIST as an example could help secure any much-needed funding for your organization’s security program. Few things have more clout than something trusted by a government body. And it doesn’t hurt that none of these changes would cost a great deal of money.

A Three-Pronged Password Approach

Many practices the government is now officially endorsing are standard in the private sector – so if your organization hasn’t implemented them yet, now is the perfect time. The foremost takeaways for organizations are as follows:

• Hold users to the fire with common-offender passwords. Use a list to vet passwords to ensure they are not likely to lead to a breach.
• Eliminate arbitrary rules if possible (and if it makes sense). Or, instead of eliminating, implement them more mindfully. These rules include the mandatory 30 or 60-day lifespans for passwords and the necessity for special characters, capitalization, and so forth - which do serve a use, but can lead to frustration in users. Instead, the longer a password is, the better. Preferably, encourage your users to use four-to-five-word phrases as their passwords.
  1. And, if it makes sense. At the time of this publication, most enterprise solutions don’t support this type of complex ruleset. Consider banning dictionary words – if a user wishes to create a passphrase instead of a password, then this becomes a problem. Thus, eliminate arbitrary rules when it’s logical to do so.
• Stress the importance of password managers. Although this is not novel information, password managers can be a formidable defense against weak passwords.

Even if we are never completely rid of passwords, the NIST guidelines signal a more progressive attitude toward their use. One your organization can benefit from adapting as well.

For More Information

• Does My Password Go up to Eleven? – A Microsoft whitepaper on password behaviors