The National Institute of Standards and Technology (NIST), operating within the US Department of Commerce, develops federal information processing standards that federal agencies must adhere to. Although the NIST rules are not mandatory for nongovernmental organizations, they often become the basis for best practice recommendations throughout the security industry and are integrated into other standards.
NIST Special Publication 800-63A was published in 2003. The password book recommended using a combination of numbers, dark characters, and capital letters, and changing them regularly. In a recent interview with The Wall Street Journal, the primer’s author, Bill Burr, stated: “Now I regret a lot of what I did.” Why do you regret it? The advice ended up being largely wrong and had a negative impact on end-user usability, including password fatigue. Cybercriminals have stolen and posted hundreds of millions of passwords online since 2003. The rise of data breaches has provided NIST and other researchers with the data they need to see how our passwords resist the tools hackers use to break them.
A 2010 study conducted at Florida State University found that when creating or updating a password is required, most users simply type a capital letter in their password and add a “1” or “!”, Which it does. make the password no more difficult to crack. When numbers were required in a password, 70% of users simply added the numbers before or after their password. These types of patterns are well known to hackers and they adjust their tools accordingly. (Interesting fact: cartoonist Randall Munroe calculated that it would take 550 years to crack the password “correct horse battery staple”, all put together as one word versus a password like “Tr0ub4dor & 3”, which can be cracked in 3 days).
The average number of services registered to a single email account is more than 40, but the average number of different passwords for these accounts is 5. More than a third of people forget their passwords on a weekly basis, requiring them to be reset ; add the minimum lengths, character requirements, the mandatory password resets every 90 days and it becomes clear why we often reuse passwords, improvise one by making minor changes to the current one, or resort to writing passwords on a sticky note.
Memorized Secrets and Other NIST Digital Identity Guidelines
Special Publication 800-63B shows the change in strategy regarding passwords and usage policies, and specifically advises abandoning complex and outdated password rules in favor of ease of use. The document also includes a new nickname for the term password: memorized secrets defined as: “A memorized secret authenticator (commonly known as a password or, if it is numeric, PIN) is a secret value that must be chosen and memorable by the user. Memorized secrets must be complex and secretive enough that it is impractical for an attacker to guess or discover the correct secret value. “
Updated best practices for creating, changing, or updating memorized secrets include:
Allow at least 64 characters in length to support the use of passphrases, copy and paste. Encourage users to make memorized secrets as long as they want, using whatever characters they like (induction spaces), thus aiding in memorization.
Do not require memorized secrets to be changed arbitrarily (eg periodically) unless there is a request from the user or evidence of compromise.
Do not impose other compositional rules (for example, mixing different types of characters) on memorized secrets.
Rather than completely removing password restrictions, NIST guidelines recommend switching to 3 password limitations that really pay off:
Ban Commonly Used Passwords – The standards require that each new password be verified against a “blacklist” that can include repeating words, sequential strings, variations in the website name, and passwords taken from previous security breaches. (haveibeenpwned.com has expanded its offering to include a password section set up for users to check if a password has been exposed in a data breach)
Do not use knowledge-based authentication or password hints: It is now prohibited to allow a user to answer a personal question such as “What high school did you attend?” To reset passwords, as the answers to these questions and suggestions can be found easily. through social media or social engineering.
Limit the number of password attempts: There is a big difference between the number of guesses required by the user most prone to typos and the number of guesses required by an attacker.
Other elements addressed by NIST include new password encryption standards and multi-factor authentication for any service that involves sensitive information. The full publication can be viewed on the NIST website.
We are pleased to see the updated standard to make it easier for users to create more secure passwords and we know that at least some of you will be happy not to hear your IT department every 90 days telling you that it is time to change your password.