NIST Password Guidelines

Long-standing password practices previously recommended by regulators and standards organizations may increase business risk. The National Institute of Standards and Technology (NIST) has recently issued updated guidance recommending simplified password practices to increase password security. Organizations should assess and improve their password practices in light of updated best practices guidance.

In June 2017 NIST released new digital identity guidelines[1] that deviated from past password practices but followed recent research[2] into the effectiveness of passwords and password policy.

The new NIST guidelines make several recommendations including the following:

Remove arbitrary and frequent password reset requirements.

Studies of password expiration policies at Carleton University[3] and the University of North Carolina[4] concluded that the security advantage of frequent password resets is “relatively minor at best, and questionable in light of relative costs”. There is a growing school of thought that an overly aggressive password expiration policy can actually weaken the efficacy and strength of passwords as a result of password fatigue.

Remove password complexity requirements and adopt ‘passphrases’.

NIST encourages users to adopt easily remembered long passphrases in lieu of traditional short, complex passwords and advises that agencies “SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types…)”. A study of users at Carnegie Mellon University[5] reinforces this finding with a conclusion that 46 percent of users are more likely to have guessable passwords when password complexity rules exist. Many users try to comply with such complexity rules by varying elements in the same password during a password reset (e.g. password1, password2, password3) which results in less secure passwords overall.

Require screening of passwords against a list of blacklisted passwords.

NIST guidelines also recommend that agencies check new passwords against lists of known bad passwords, such as low-quality passwords and those involved in prior breaches.

Educate employees on the dangers of password reuse.

The reuse of corporate passwords when signing up for other personal services creates a major security risk. An employee’s use of the same password for both business and personal accounts can allow an attacker to use a compromised personal account to gain access to the business account and perhaps the entire network. The Office of the Privacy Commissioner of Canada issued a news release[6] regarding the risks of password reuse in 2017.

Implement Risk-Based Multi-Factor Authentication (MFA).

It is recommended that organizations perform a risk analysis to determine where to implement MFA to protect higher risk credentials such as those used by administrators as well as authenticating to remote systems and systems that contain confidential information.

References:

[1] NIST SP800–63b Digital Identity Guidelines — http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf

[2] Passwords and Authentication Research, Carnegie Mellon University Cylab — http://cups.cs.cmu.edu/passwords.html

[3] Quantifying the Security Advantage of Password Expiration Policies — http://people.scs.carleton.ca/~paulv/papers/expiration-authorcopy.pdf

[4] The Security of Modern Password Expiration: An Algorithmic Framework and Empirical Analysis — https://www.cs.unc.edu/~reiter/papers/2010/CCS.pdf

[5] Measuring Password Guessability for an Entire University — https://www.cylab.cmu.edu/_files/pdfs/tech_reports/CMUCyLab13013.pdf

[6] ‘Don’t reuse passwords’, Privacy Commissioner warns — https://www.priv.gc.ca/en/opc-news/news-and-announcements/2017/nr-c_170718/