NIST released new guidelines for user password requirements that are significantly different than those you may be used to following. For anyone keeping up with identity management guidelines over the past several years, this is not a surprise. For the non-security geeks among us, these changes may seem like a revelation to the mantra of password management we’ve heard for the past 20 years.
According to NIST, passwords and numeric pins need to be “of sufficient complexity and secrecy that it would be impractical for an attacker to guess or otherwise discover the correct secret value.” The challenge for network administrators has been the implementation and enforcement of policies and security controls that are not too restrictive or difficult for the end user to follow. In a recent NPR interview, Senior Standards and Technology Adviser at NIST Paul Grassi said: "The traditional guidance is actually producing passwords that are easy for bad guys and hard for legitimate users."
The new guidelines outlined in NIST 800-63b will be easier on our admins and users while also being simpler to implement and maintain.
NIST Password Recommendations
Password Complexity Isn’t Necessary
You can stop requiring complex passwords that require both alpha and numeric digits along with special characters. Studies have shown these requirements often result in worse passwords than intended.
Forget About Periodic Password Changes
Periodic password changes combined with strict complexity requirements can be a nightmare for users. Admins can stop worrying about passwords written on sticky notes under keyboards that users refused to remember. Users will be happy to know they no longer have to spend time creating a new, unique and complex password every 30 days.
Use Password Screening
New passwords or password change requests should first be compared to a list of commonly used and compromised passwords. NIST 800-63b lists the following examples:
- Passwords obtained from previous breach corpuses.
- Dictionary Words
- Repetitive or sequential characters (e.g. ‘aaaaaa,' ‘1234abcd’)
- Context-specific words, such as the name of the service, the username, and derivatives thereof.
The KISS Method - Keep It Simple Stupid
NIST suggest keeping passwords simple. Require a long (up to 64 characters but not less than 8) and memorable password like a phase you can easily repeat. “
I do not enjoy sweet pickles I prefer spicy dill pickles” would be an excellent password. A short complex password is actually easier for a cybercriminal to cryptographically crack than one that contains a longer list of characters.
These password recommendations are much easier for users to follow and it cuts down administration time setting up and implementing complex password requirements. Don’t get too excited though admins, you will still get requests for passwords resets when people forget their password phrases or maybe change their taste in pickles.