Passwords. Passwords. Passwords.
How much time have you spent trying to come up with a memorable password that also fits the 6 different password requirements? Probably more time than you should have. From length requirements to composition rules and 8 password recovery questions, deciding on a password often takes up way too much of your time.
It’s for this reason that the United States National Institute for Standards and Technology (NIST) is working on new password guidelines for the US government’s public sector. While these NIST guidelines are being written specifically for government use, they are often adopted by private companies as well. Meaning that you could soon see these password changes and requirements coming into play in your life at work and even on websites you use for non-work related tasks.
So what does this mean for your password requirements in the future? Essentially, progress. A movement toward more user-friendly passwords and away from the hassle of creating a password that you can’t ever remember.
Out with the Old
No more trying to remember if you used the letter “I” or the number “1” in your password. The NIST has decided that composition rules don’t do as much good as we previously thought and can be a giant hassle for users. For example, coming up with a password that contains 8-10 letters, uppercase and lowercase, numbers, and at least one special character often ends up looking like this: “B3s+Pa5sw0rd3v3R”. Believe it or not, even with all of those character substitutions, that’s a pretty easy password for a machine to guess.
Under the new requirements, you are free to correctly spell the words that comprise your password, and in actuality the passwords that abide by the composition rules have proven easier to crack while a password like “armchair handstand removed bash reseal unbalance” can take far longer to crack. Don’t believe me? Check out this comic on password strength out, and then go read this article on the art of creating crazy passwords
Previously there was no requirement on hints or security prompts. In the new guidelines, password hints that can be shown to unauthenticated users are NOT allowed. You also won’t be allowed to prompt for specific information to allow password resets. If you’ll remember it was exactly this that led to Sarah Palin's email being hacked. The hacker simply filled in her birthday, ZIP code, and where she met her husband. All of which he obtained from a simple Google search. Gone are the days of using your high school mascot to help identify you—thanks to Google, anyone can pretend to be you with that information.
As of now there is no limit on the amount of times a user can be prompted to change their password. Frequently requiring password changes has actually been seen as a good security policy even though it’s one of the most user-unfriendly password tactics around. In the future, NIST is planning to take away password expiration rules. Rationally it makes sense: what is the point of creating a long complex pass phrase if you’re going to have to change it and memorize another in a month? It generally only leads to users incrementing a number at the end of the same password or scribbling it down on a Post-It under their keyboard. Not good!
While multi-factor authentication is necessary and seriously helps to prevent intrusions, there are some forms of MFA that are proving to be less effective than others. Knowledge-based challenges like “What’s the name of your first pet?” tend to be weak, used on multiple sites, and don’t genuinely qualify as “multi-factor” in our opinion anyway.
Another form of MFA that is proving to be less effective is SMS authentication. There are many threats, like malware, SMS forwarding, and fraudulent number reassignment that smartphones are susceptible to, diminishing the safety of SMS authentication. This article on the limits of SMS for 2-factor authentication dives into more detail on why SMS authentication is being phased out and what can replace it. In short, expect to see smartphone apps and push notifications used for MFA in the future more than SMS messages.
In with the New: NIST 800-63-3
In the past, a minimally acceptable password was either 6 characters/4-digit PIN (LOA1) OR 8 characters/6-digit PIN (LOA2). This will be changing for all passwords. A minimum of 8 characters/6-digit PINs will be required across the board. There is also a new maximum of 64 characters, a change from the previous lack of any maximum. The idea with imposing a maximum is to allow for a memorable passphrase while keeping it within the realm of reason. A well-chosen password that’s 64 characters long is safe enough for pretty much any use, and a longer one that isn’t well-chosen isn’t any good anyway.
Common Password Dictionary
NIST is also creating a dictionary of commonly used or compromised passwords to compare new passwords against. If your password is in this list, or close, you may be asked to select a new password preemptively. The dictionary is slated to have around 100,000 entries. The NIST is hoping that users will actually change their password and not just add a “3” or “?” at the end. If users don’t come up with a new password, the dictionary essentially becomes a list of easily compromised passwords.
Universally Allowed Characters
The new guidelines will accept space characters, making it easier to accurately type in a long phrase, all printable ASCII characters, and allow for passwords in another language. The guidelines will also accept Unicode characters…including emoji’s! I don’t know about you, but a password with the heart eye cat emoji sounds pretty great to me.
NIST opened the changes to public comments for a while, but the comment period has since closed. While the new version of the Digital Authentication Guidelines, Special Publication 800-63-3, won’t be released until May, you can continue to follow it as it comes together in an easy to read format on NIST’s website. And for a more thorough explanation for all those changes, check out Jim Fenton's presentation "Toward Better Password Requirements".