Last September we wrote a blog about the changes we might see to the National Institute of standards and Technology (NIST) password guidelines. These new guidelines were finalized on June 22, 2017. You can find all 4 sections of the SP 800-63 Digital Identity Guidelines on the NIST website but I’m going to break down the more major changes here.
The Do’s of SP 800-63
User Friendly Passwords
The overall “do” from these new guidelines is to make passwords more user friendly. There is a lot of misinformation in the world about what actually improves security. As technology improves, hackers ability to crack passwords does too. Many of the “old school” password practices aren’t really making your password any harder to crack and many experts are saying that we may finally be able to ditch those rules.
Minimums and Maximums
“Verifiers SHALL require subscriber-chosen memorized secrets to be at least 8 characters in length. Verifiers SHOULD permit subscriber-chosen memorized secrets at least 64 characters in length.”
The 8 character minimum is a requirement it is possible for verifiers (those asking you to create the password) to set that minimum higher, say 12 characters as an example.
Now, if the verifier abides by the suggestion to allow a 64 characters it’s likely that you won’t get as many “this password is too long” messages. Which is great as many in the tech community are continuing to push for passphrases over passwords.
“All printing ASCII characters as well as the space character SHOULD be acceptable in memorized secrets. Unicode characters SHOULD be accepted as well.”
As I mentioned above passphrases are increasingly encouraged, and with spaces now being specifically allowed this will make determining a suitable phrase easier, not to mention eliminate mistakes from trying to type in a phrase without using the space bar.
As for emojis, these are covered under the sentence about “Unicode”, and while i’m always a fan of a well placed emoji, many are torn on this topic and are questioning if emoji passwords are actually a good thing.
“Banned” Password Dictionary
“When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised.”
This list should include previously breached passwords, commonly-used dictionary words, repetitive or sequential characters, and context specific words (e.g., the IT Freedom system should check to make sure i’m not setting my password as “IT Freedom”.)
“For the purposes of these guidelines, using two-factors is adequate to meet the highest security requirements.”
Common authentication involves using several or all of the following:
- Something you know (presumably your password)
- Something you have (an authentication token)
- Something you are (fingerprint, facial scan)
Since the NIST is saying that using 2 out of 3 of those factors are adequate, check out our blog to learn more about two-factor authentication.
The Do Not’s of SP 800-63
“Verifiers SHOULD NOT impose other composition rules for memorized secrets.”
These composition rules tend to require a mixture of character types, inclusion of “special characters”, letters and numbers and the prohibition of repeated characters. It’s been discussed for a while but it’s now common knowledge that password complexity rules are more annoying than actually effective. Opting for a longer passphrase instead of turning an “I” into a “1” or an “E” into a “3” will serve you better in long run in terms of actually remembering your password and in terms of security.
Password Hints and Security Questions
“Memorized secret verifiers SHALL NOT permit the subscriber to store a “hint” that is accessible to an unauthenticated claimant. Verifiers SHALL NOT prompt subscribers to use specific types of information (e.g., “What was the name of your first pet?”) when choosing memorized secrets.”
Many of the answers to common security questions can be found from a glance at your social media profile, your bio on your company’s website, or even from looking at data from prior security breaches. And since your father’s middle name probably hasn’t changed since you used that answer last, it might be time to kill security questions.
The same goes for password hints. Common hints like “Dog”, “Rhymes with X” or even “The password is X” aren’t really doing a lot of good to keep your account secure.
Arbitrary Expiration Dates
“Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily. However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.”
Wired wrote a post called Want safer passwords? Don’t change them so often and NIST seems to agree. If we want users to create long and strong passwords, why do we keep asking them to change them? We aren’t saying NEVER change passwords but maybe consider changing the policy from every 60-90 days to once or twice a year.
Safely Storing Passwords
What we didn’t talk about in our preview piece was the NIST guidelines for securely storing passwords but the new guidelines offer good information on how you should go about this.
“Verifiers SHALL store memorized secrets in a form that is resistant to offline attacks. Memorized secrets SHALL be salted and hashed using a suitable one-way key derivation function.”
There is a lot more to it including salt bit length and verification methods. You can find the full outline in the document SP 800-63b on page 15, and Techopedia offers good definitions for hashing and salting.
As cyber criminals and their ability to hack passwords evolves so should how we go about keeping them safe. This surely won’t be the last iteration of these guidelines and it shouldn’t be. It can be daunting to understand and follow all of these rules and that’s why we recommend using a password manager and working with security professionals to make sure you have a well thought out password policy. And while these rules were created for the government, they are a great standard to follow in any organization.