The rules for managing passwords are about to undergo profound changes. InfoWorld reported recently on the coming changes from The National Institute on Standards and Technology (NIST).
NIST's Digital Identity Guidelines (SP 800-63-3) challenges the effectiveness of what has been traditionally considered authentication best practices, such as requiring complex passwords. When most credentials-based attacks no longer bother with brute-force methods, relying on password complexity doesn't really help. When attackers can discover the actual password string via keyloggers, phishing, or other social engineering tactics, it doesn't matter how complex the string is. Attackers can harvest credentials directly from the domain controller while moving laterally through the network, look up passwords from previously breached databases, or intercept passwords transmitted in plaintext.
The public comment period for the password guidelines closed on May 1, but NIST has not yet released the final version, expected in late spring or early summer. The NIST guidelines provide technical requirements for federal government agencies, but they are a helpful blueprint for the private sector to follow as well.
Here's what is out:
- Having special composition rules on creating strong passwords (such as requiring both uppercase and lowercase characters, at least one number, and a special character)
- Requiring routine password changes for the sake of changing them; passwords should be changed only when there is a risk of compromise
- Password hints and knowledge-based questions, such as the name of the first pet, the mother's maiden name, or the high school mascot, as social media and social engineering have made it easy for attackers to use these pieces of information to bypass passwords
- NIST recommends administrators leave out overly complex security requirements that make it harder for users to do their jobs and don't really improve security, since frustrated users are more likely to look for shortcuts. For example, users struggle to memorize large numbers of passwords—the average user accesses more than 40 accounts—so they may either write down passwords, which defeats the purpose of having a "secret" password; reuse passwords, which makes it easier to break into accounts; or use variations of existing passwords, which makes it easier for attackers to guess the patterns.
- While it's true there are other ways to get passwords, brute-force attacks still exist, so don't entirely give up on complex passwords yet. Enterprises should encourage employees to use a password manager and not try to remember passwords. Even with recent issues found in popular password managers, these applications remain the best tool for creating and storing unique and strong passwords.
Here's what's in:
- Users should be able to choose freely from all printable ASCII characters, as well as spaces, Unicode characters, and emojis.
- Increase the minimum length of passwords to eight.
- Check passwords against blacklists of unacceptable credentials, including previously breached databases, dictionary words (monkey), common passwords (letmein), and passwords with repeating or sequential characters (pass123).
- Lock accounts after several incorrect attempts to login.
- Hash passwords with a salt when storing passwords to prevent cybercriminals from acquiring passwords that are stored in plaintext or with weak hash algorithms.
Password managers only solve the password challenge; they don't address the overall authentication problem when attackers already have the password. NIST also recommends adding another line of defense by turning on multifactor authentication. Attackers typically don't have multiple proofs of identity, such as the user's mobile device or some kind of physical token they wouldn't be able to break in even with a password. However, NIST warned against relying on sending one-time passwords via SMS messages as a form of two-factor or multifactor authentication. SMS can easily be intercepted, so NIST suggests using software-based one-time-password generators, such as apps installed on mobile devices.
The final draft is timely after 2016 when troves of stolen credentials were made public, disclosing more than one billion credentials.
Compounding the problem is the fact that the average number of services registered to one -email account for 25-34-year-olds is more than 40, according credit-checking firm Experian. And on average, users had only five different passwords for those accounts as Experian reported in 2016.
NIST's new thinking makes a lot of sense – and carries good lessons for security administrators in both the private and public sectors. Password fatigue is something we see all the time – NIST is right – there are better ways to protect access to data.
E-mail: email@example.com Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology