NIST Password Guidelines: What You Need to Know

For the past three years, the National Institute of Standards and Technology (NIST) has been substantially revising its password guidelines. Many of these revisions stem from NIST’s recognition that human factors can often lead to security vulnerabilities when users are forced to include special characters or required to periodically create a new password previously thought to improve authentication security.

Implement Password Screening

A common human error related to password security is reusing passwords across multiple online services and accounts – something 59% of people admitted to doing in a LogMeIn survey. If a password has been leaked in a previous breach, all a hacker needs to do is buy these credentials via the dark web and use them to access any additional accounts protected by the compromised password.

Password reuse has a long-tail effect; researchers from Virginia Tech University found that over 70% of users employed a compromised password for other accounts up to a year after it was initially leaked, with 40% reusing passwords which were leaked over three years ago. To combat this threat, NIST now recommends that organizations screen passwords against blacklists containing commonly used and compromised credentials. With multiple breaches occurring every day, NIST also recommends that companies screen passwords on an ongoing basis to ensure that a previously safe password does not become compromised down the road.

Additional NIST SP 800-63b recommendations include:

Users no longer have to use special characters: According to NIST, “Research has shown…that users respond in very predictable ways to the requirements imposed by composition rules. For example, a user that might have chosen ‘password’ as their password would be relatively likely to choose ‘Password1’ if required to include an uppercase letter and a number, or ‘Password1!’ if a symbol is also required.” As such, they suggest companies eliminate this requirement as it may actually have an adverse effect on security.

Users should be able to use all characters: It’s fairly common for services to reject passwords with spaces and various special characters, but NIST now recommends organizations phase out this approach and allow users to create passwords using whatever combination of characters they can easily remember.

Copy and pasting passwords is acceptable: Under the previous guidelines, NIST was against enabling paste features when typing passwords, however, the new guidelines reverse this recommendation.

Password policies should not require employees to change passwords on a regular basis: Mandatory periodic password resets used to be hailed as a security best practice, but that is no longer the case. As NIST puts it, “Users tend to choose weaker memorized secrets when they know that they will have to change them in the near future. When those changes do occur, they often select a secret that is similar to their old memorized secret by applying a set of common transformations such as increasing a number in the password. This practice provides a false sense of security if any of the previous secrets have been compromised since attackers can apply these same common transformations.”

Increased character allowance: The new guidelines encourage password fields to allow for up to at least 64 additional characters on top of the required eight. Key to this recommendation is the idea of passphrases – sequences of preferably unrelated words that can strengthen password security and also are more difficult for hackers to guess by brute force.

While much media hype surrounds password-less login, it’s safe to say that passwords will remain the primary means of authentication for the foreseeable future. In this environment, it’s important that companies adopt the latest NIST recommendations to mitigate password risks.

Hackers are constantly on the lookout for ways to infiltrate sensitive corporate systems and accounts, and organizations’ best line of defense hinges on the ability to ensure security at the password layer.

Brought to You by

What’s Hot on Infosecurity Magazine?