If i were to ask you what the best policy for passwords was, i imagine you would unanimously list the following:
- change every 90 days
- use letters (upper and lower case), numbers, special characters
- you cant reuse the last 10 passwords
- and they should be at least 8 characters long
Recently, the National Institute for Standards and Technology (NIST) has taken a step back and re-evaluated password best practices.
In June 2017, NIST published a revised set of Digital Identity guidelines. These guidelines offer what they consider best practice for passwords today. Links to relevant documents are below.
Complex isn’t necessarily strong
The method of creating passwords which contain a variation of numeric characters, upper and lowercase letters and special characters to make a password complex doesn’t lead to stronger passwords, and the practice should be replaced by more dynamic support for password selection.
NIST recommends that organizations support users in selecting better passwords by checking chosen passwords against known leaked breach data and known weak passwords.
It’s difficult to argue that this exercise is impossible to implement with the abundance of breached data available on the Internet. The availability of tools such as HashCat and similar password testing tools makes a quality check for password selection fairly easy.
The longer the better, and permit cut & paste
We’ve all come across examples where your password could be no longer than 8 or 10 characters in length. This can be seen in some of the larger organizations globally, no doubt because of restrictions with legacy systems.
NIST is clear in its recommendations for password length. It suggests that passwords of at least 64 characters should be allowed. Furthermore, the use of password managers should be encouraged and supported by ensuring users can paste into password data entry fields. Bizarrely, some sites currently prevent users from pasting their passwords into form fields, thereby breaking the automated use of password managers.
Password hints are passé
A popular trend to recover forgotten passwords is allowing users to reset passwords if they successfully answer a hint question like the make of their first car or their favorite teacher.
The quality of hint questions can often leave a lot to be desired. Poor levels of entropy combined with all the personal data now shared on social media weakens the use of password hints. NIST advises us to stop using hint questions as a means to help users recover account access. Instead, leverage 2FA, or text a one-time code to reset passwords.
Regular changes no more
Finally, NIST has deprecated the widely-adopted practice of regularly changing your password in case hackers have information without your knowledge.
The argument against this practice lies with the human trait to select a password sequence or pattern to ease the workload of remembering passwords. So what a user tends to do is add a number or other incremental character at the end of their current password and increment it each time they are forced to change their password. This makes for a weak password and NIST is no longer recommending this practice.
In review: What can you do to improve your organization’s password approach?
Perform password testing
If you can’t perform in-line password checks as users generate or change their passwords, then be sure to provide very regular password strength checking. Run tools such as Hashcat and identify weak passwords and for users the change all weak passwords.
Stop forcing the regular changing of passwords
Changing passwords should be undertaken when a user suspects their password is no longer a secret. In normal course of events, passwords should no longer be regularly changed.
Update your systems to support new best practices
Ensure your systems support 64 character passwords, and allows pasting into form fields for passwords (and usernames). Drop forced composition rules in favor of longer passwords.
SP 800-63 Digital Identity Guidelines
SP 800-63A Enrollment and Identity Proofing
SP 800-63B Authentication and Lifecycle Management
SP 800-63C Federation and Assertions