NIST, the National Institute of Standards and Technology issues password guidelines that represent best practices to implement over password security. NIST is an agency of the US Department of Commerce. It is public service and, therefore, not biased by specific commercial interest.
The NIST password guidelines have become a reliable source for those looking for best practices. However, those standards are in flux at the moment because the Institute is re-assessing all of its recommendations. Another problem with the NIST standards is that they are difficult to understand and the kernel of important action points is buried in officious terminology and government procedural formatting.
To cut through the confusion, we have produced a definitive guide to implementing secure passwords and we have written these guidelines in clear, plain English.
Here is the summary of points that you should be implementing now in your password policy:
- Block password reuse.
- Screen for common passwords.
- Drop the requirement for special characters.
- Allow all characters, including spaces.
- Allow copy and pasting of passwords.
- Drop enforced password rotation.
- Lengthen password fields.
- Let the user see the password, limit attempts, and don’t use hints.
- Use 2FA – SMS is OK.
These are the top guidelines of the current NIST password recommendations. The reasoning behind each of these key points and how you should implement them is explained in the following sections.
1. Block password reuse
This recommendation has two meanings.
- Users shouldn’t choose the same password used for other logins.
- Users shouldn’t flip-flop between two passwords.
In truth, everyone has difficulty remembering a lot of passwords for all of the places a login is required in the modern world. To combat the danger of being locked out, they will use one password in all situations.
The problem with the constant use of the same password in all systems is that often login credentials are tied to the user’s email address. Even though many people have more than one email account, the average number of email accounts per person is still relatively low – it is currently about 1.75 accounts on average per person.
Even those people who have many email accounts tend to use one email account overwhelmingly more frequently than others. This situation makes it easy for hackers to track users across systems. This is particularly the case where the email address is used as the account username. So, if a hacker discovers the password of a user on one system, it is very easy to feed that into automated access attempt software for other systems.
Use password screening services that check for password commonality across systems to prevent the users of your authentication process from using the same passwords that they use in other systems.
In truth, this is difficult to implement because you aren’t going to be able to see the passwords that your users employ everywhere in the world. However, as part of your user education effort, make the originality of the password that they use for your system a key recommendation.
Password reuse within your system is a lot easier to block. Password reset systems often check that the user’s current password and the new password that they request are not the same. This strategy is easy for software systems to enforce because they just require the user to enter their old password in one field and the new password in another field in the same screen. Straight forward pattern matching produces the identification of a repeated password.
Due to the extensive use of user credentials for everything these days. Every account holder on your system has become an expert in the creation of passwords and they all know how to trick the system. They will cycle between two passwords that are very similar – often with just the addition of an extra character at the end.
Rather than using a password checking system that only compares the requested new password with the user’s current password, use systems that blacklist every previous password employed for that account.
The ban on any repetition gives you a better chance that users will be forced to think up a completely new password that they haven’t used anywhere else.
The password uniqueness process should not only check that the requested password is different from all previously used passwords but that it is substantially different. There shouldn’t be any reuse of parts of passwords. That prevents users from varying passwords by just one or two characters.
Users’ will continue to employ compromised passwords for other systems even when they have been informed that the particular password has been compromised. NIST recommends that system administrators subscribe to a list of compromised passwords and perform regular sweeps to catch recently compromised passwords.
2. Screen for common passwords
Another coping strategy that many users deploy in order to remember lots of different passwords is to use straightforward, memorable passwords. These might be:
- Culturally common words or phrases
- Words related to the user’s hobbies
- Words or codes related to the system that the account is held on
- Words related to the username
An easy way to prevent this strategy is to check passwords against a dictionary. If you run a multinational system, the dictionary you use will need to relate to the language of the user.
Clearly, the password shouldn’t be a repetition of the username and also shouldn’t contain the username or be part of the username.
Passwords that are adapted to the system or the user’s identity are particularly easy to crack and passwords that include the word “password” should be at the top of your blacklist – MyPassword, APassw0rd, DavePassword, IBMPassword, Passw0rd!, etc.
The easiest way to shut down the use of common words in passwords through an automated process is to adapt the NIST recommendation of using a compromised password feed. Rather than applying a list of passwords that have been cracked elsewhere for a particular user, scan for all or part of all passwords that have been cracked anywhere. Apply that blacklist to each user regardless of whether the compromised password was deployed by that user. That will automatically block the use of all common words.
3. Drop the requirement for special characters
This NIST recommendation is a surprise to many and causes consternation because the enforcement of special character inclusion is part of the standard procedures of most current off-the-shelf password strength testers.
The reason for this new rule is that just making the user put one special character somewhere in the password doesn’t provide any security at all. Hackers have studied human behavior and they know all of the standard tricks that ordinary people use in order to comply with the special character requirements while still producing a crackable password.
The exclamation mark (!), for example, produces particularly weak passwords while fooling most password strength testers. It is not difficult at all for password cracking software to try a password, then try the same password with an exclamation mark on the end, and then try the password with the exclamation mark substituted for each l and then each i. That takes seconds.
The same recommendation also goes for the forced inclusion of numbers – hackers are ahead of that one, too. Zero substituted for o and one substituted for l makes cracking passwords easy. Combining the requirement for the inclusion of both a number and a special character is also useless – passw0rd! is extremely easy to guess, while being approved by a password strength checker.
4. Allow all characters, including spaces
The ban on spaces in passwords is illogical. Memorable phrases are much harder to crack than memorable words or even memorable words with special characters and numbers in them.
The main problem with memorable phrases is that they are also harder to check for password strength. However, using the recommended strategy of scanning for a match to compromised passwords should filter out well-known quotes as the wider system administrator community adopts the strategy of allowing spaces.
NIST’s policy revision stems from the recognition that current restrictions on password composition haven’t resulted in password variety. Instead, they have created a convention of commonly used tricks because even operating independently, everyone’s brain works the same way. So, universal rules applied to everyone eventually results in universal solutions. Greater restrictions result in a smaller pool of possible solutions. Thus, tightening restrictions creates an easier job for hacker password-cracking tools.
5. Allow copy and pasting of passwords
Previous NIST recommendations advised against allowing values to be pasted into password fields. However, as the new NIST strategy is to encourage diversity by discouraging users from resorting to common password tricks, this is an important restriction to remove.
One unfortunate consequence of allowing pasting is that users will keep a file that lists system credentials. However, discouraging them from doing that also discourages them from using impossible-to-remember passwords.
Although plain text files with lists of credentials can be a security risk, in a way, they are a form of two-factor authentication because at least the user has to have physical access to the device that stores the file. Most professional hacker groups operate worldwide and work with automated password cracking systems. They don’t bother to steal the laptops of every Yahoo Mail user.
Very high-security systems, such as national defense agencies should continue to take steps to prevent users from keeping their own password files. However, that rule can be enforced by other methods, such as the threat of sacking or criminal charges. For most systems, a user-owned password file isn’t a serious security breach.
6. Drop enforced password rotation
Frequent demands for password resets encourage users to reuse passwords, vary the same password slightly by adding or moving numbers and special characters and use passwords that they also use on other systems. In short, frequently forced password rotation is the cause of the bad practices and tricks that need to be blocked – as explained in points 1, 2, 3, and 4, above.
7. Lengthen password fields
The standard eight-character password allowance is based on the expectation that users should create an actual word. However, as explained above, passphrases are much better for security and so lengthening the credentials field to at least 72 characters together with the permission to use spaces will encourage users to create phrases rather than words.
8. Let the user see the password, limit attempts, and don’t use hints
The biggest threat to system security is from international hackers, rather than nearby individuals. A shoulder jockey could look over and see the password that a user enters into a mobile device in a public place. However, if anyone is so close that it is possible to read the small display on the screen, that person would also be close enough to see which letters the user presses on the on-screen keyboard, so obscuring the password isn’t much of an advantage.
Although automated password cracking is a bigger threat than individual attacks, some users are targeted, so password hints speed up password guessing for a miscreant who is “doxing” a particular individual.
The three-strikes rule works very well as protection against password guessing techniques that move around special character and number substitution.
9. Use 2FA – SMS is OK
Two-factor authentication is a major recommendation of the latest NIST standards. One problem with this field of authentication is the scare stories that identified security weaknesses in the use of mobile devices as a physical element that could be used for authentication.
Although SMS-based authentication systems are fallible, the industry has found a way to strengthen the physical identification of mobile devices used for 2FA. That is, the SMS or push message requires not only the telephone number but also the identity of the device. This requirement has got around the problems of spoofing and cloning that undermined the value of mobile devices for the use of 2FA.
Implementing NIST recommendations
The easiest way to ensure that you have integrated all of the best practices for password security is to implement the NIST recommendations. The latest NIST recommendations are called SP 800-63b. This list of recommendations was first published in 2017 and has since been updated several times. So, you need to look for Identity and Access Management Systems that follow NIST SP 800-63b Revision 3, also written as SP800-63B-3 – unfortunately, dashes, spaces, and capitalization can be altered from publication to publication.
Using password management systems
Fortunately, there are some password management systems available that are aware of the latest NIST recommendations and have integrated them.
- N-Able Passportal This password service discusses all about NIST SP800-63B Revision 3 in a blog post and declares that its services integrate these requirements. You can register and arrange for a demo.
- ManageEngine ADSelfService Plus This password management system for Active Directory has been made fully compliant with SP800-63B Revision 3 through the revamp of its 2FA services.
- Specops Password Policy This password management system includes all of the recommendations of SP800-63B Revision 3. It integrates into Active Directory so you don’t need to completely trash and rebuild your current access rights management system in order to upgrade to the new standards.
- Password RBL Password RBL is a password blacklisting service that integrates with Active Directory. This implements a major recommendation in the NIST SP800-63B publication over blocking compromised password reuse.
- SaaSPass This is a cloud-based 2FA system that integrates with a long list of applications. It is fully compliant with NIST SP800-63B recommendations.
- Okta Offers a menu of IAM solutions from its cloud platform and they are all compliant with NIST SP800-63B Revision 3.
Beef up or bolt-on
You probably already have a well-established password management system that you’re happy with. As your IAM provider is closely involved in password security issues, it is very likely that it has already implemented SP800-63B. However, it doesn’t hurt to check.
It might be that NIST-compliant password security features are only offered with your current provider if you upgrade. If not, it could be worth considering adding on a specialist password management system or improving NIST-compliance by implementing 2FA or password blacklisting supplied by a provider other than your main IAM system vendor.
Above all, as a corporate system administrator, it is important to keep up to date with current password security issues. There is always new technology out there and that works for hackers as well as for businesses. Cybersecurity is the pursuit of a constantly moving goal.