NIST to security admins: You've made passwords too hard

Passwords may not be dead, but the latest NIST guidelines promises a less frustrating and more secure authentication future

NIST to security admins: You've made passwords too hard
Credit: Thinkstock

Despite the fact that cybercriminals stole more than 3 billion user credentials in 2016, users don't seem to be getting savvier about their password usage. The good news is that how we think about password security is changing as other authentication methods become more popular.

Password security remains a Hydra-esque challenge for enterprises. Require users to change their passwords frequently, and they wind up selecting easy-to-remember passwords. Force users to use numbers and special characters to select a strong password and they come back with  passwords like Pa$$w0rd.

Fortunately, the number online services supporting hardware security keys is growing, including the likes of GitHub, Google, and Facebook. Google even uses hardware security keys internally to secure its employee workforce.

The final version of NIST's Digital Identity Guidelines (SP 800-63-3) also challenges the effectiveness of what has been traditionally considered authentication best practices, such as requiring complex passwords. When most credentials-based attacks no longer bother with brute-force methods, relying on password complexity doesn't really help. When attackers can discover the actual password string via keyloggers, phishing, or other social engineering tactics, it doesn't matter how complex the string is. Attackers can harvest credentials directly from the domain controller while moving laterally through the network, look up passwords from previously breached databases, or intercept passwords transmitted in plaintext.

While the public comment period for the password guidelines closed on May 1, NIST has not yet released the final version. It wound up extending the comment period for the parent document—on Digital Identity—for an additional 30 days while closing comments for the companion documents Enrollment & Identity Proofing (SP 800-63A), Authentication & Lifecycle Management (SP 800-63B), and Federation & Assertions (SP 800-63C) to get more details on how to make digital identity management "simpler for agency officials, mission owners, and implementers alike." The NIST guidelines provide technical requirements for federal government agencies, but they act as a helpful blueprint for the private sector to follow as well.

Out with the old

Here's what's out in the new guidelines:

  • Having special composition rules on creating strong passwords (such as requiring both uppercase and lowercase characters, at least one number, and a special character)
  • Requiring routine password changes for the sake of changing them; passwords should be changed only when there is a risk of compromise
  • Password hints and knowledge-based questions, such as the name of the first pet, the mother's maiden name, or the high school mascot, as social media and social engineering have made it easy for attackers to use these pieces of information to bypass passwords

NIST recommends administrators leave out overly complex security requirements that make it harder for users to do their jobs and don't really improve security, since frustrated users are more likely to look for shortcuts. For example, users struggle to memorize large numbers of passwords—the average user accesses more than 40 accounts—so they may either write down passwords, which defeats the purpose of having a "secret" password; reuse passwords, which makes it easier to break into accounts; or use variations of existing passwords, which makes it easier for attackers to guess the patterns.

"The username and password paradigm is well past its expiration date," said Phil Dunkelberger, CEO of Nok Nok Labs. "Increasing password complexity requirements and requiring frequent resets adds only marginal security while dramatically decreasing usability. Most security professionals will acknowledge that while such policies look good on paper, they put a cognitive load on end users, who respond by repeating passwords across sites and other measures to cope that dramatically weaken overall security."

While it's true there are other ways to get passwords, brute-force attacks still exist, so don't give up on complex passwords yet. Enterprises should encourage employees to use a password manager and not try to remember passwords. Even with recent issues found in popular password managers, these applications remain the best tool for creating and storing unique and strong passwords.

In with the new

Now, here's what's in the new guidelines:

  • Users should be able to choose freely from all printable ASCII characters, as well as spaces, Unicode characters, and emojis
  • Increase the minimum length of passwords to eight
  • Check passwords against blacklists of unacceptable credentials, including previously breached databases, dictionary words (monkey), common passwords (letmein), and passwords with repeating or sequential characters (pass123)
  • Lock accounts after several incorrect attempts to login
  • Hash passwords with a salt when storing passwords to prevent cybercriminals from acquiring passwords that are stored in plaintext or with weak hash algorithms

Password managers only solve the password challenge; they don't address the overall authentication problem when attackers already have the password. NIST also recommends adding another line of defense by turning on multifactor authentication. Attackers typically don't have multiple proofs of identity, such as the user's mobile device or some kind of physical token, they wouldn't be able to break in even with a password.

However, NIST warned against relying on sending one-time passwords via SMS messages as a form of two-factor or multifactor authentication. SMS can easily be intercepted, so NIST suggests using software-based one-time-password generators, such as apps installed on mobile devices.

Biometrics are also gaining popularity, especially as more user devices come equipped with fingerprint readers. For example, the Samsung Galaxy S8 has both a fingerprint scanner and an upgraded retinal scanner that is currently used for unlocking the device. The scanner could likely be used as a second factor authentication method for online services that decide to adopt retinal scanning. There are rumors that LG G6 will have facial recognition software that could be used to unlock devices.

Microsoft announced plans to replace passwords with a smartphone-based authentication method. Instead of the standard two-step verification, where users first enter a password and then enter a PIN sent to their mobile device, the new "phone sign-in" method will require users to use the device to sign in with a PIN or user the fingerprint scanner to authenticate.