fbpx
NIST-Password-Security

What is NIST password guideline? Is there a guideline from NIST for passwords? Do we have a standard on how to set passwords?

National Institute of Standards and Technology (NIST) issued a new revision of their digital authentication guidelines, NIST SP 800-63B-3, providing guidelines on the password security requirements.

That being said, what exactly does this NIST 800-63 talk about in general? What is the significance of NIST 800-63 and how different it is from previously issued guidelines on password security?

Well, the answer is pretty clear. NIST 800-63 highlighted the current password requirements to meet the modern needs of today’s environment.

What You Should Know About NIST Password Guidelines

A quick list of the NIST Password Guidelines for easy reference: 

  1. No more periodic password resets 
  2. A defined minimum number of password characters – 8 (user-generated)
  3. A defined number of characters in password at-least 64+
  4. Allow special characters to be allowed, including spaces and emojis 
  5. A defined minimum number of password characters – 6 (system generated)
  6. Avoid password hints/clues
  7. Limit complexity requirements of passwords 
  8. Encourage 2FA/MFA and avoid SMS for 2FA
  9. Avoid exposed passwords from:
    1. Previously exposed breaches 
    2. Dictionary words
    3. Passwords consisting of repetitive or sequential characters
    4.  Context-specific words, such as the name of the service, the username, and derivatives thereof
  10. Limit failure login attempts to a definite number – 10
  11. Do not truncate passwords & always store it in a one-way hash
  12. Guide user and showcase the password strength through indicators
  13. Store passwords securely through the use of salt and one-way hashes to prohibit password guessing attacks

Passwords: Boon or Bane?

Forgot Password

Just imagine for a moment that we are cut off from our online accounts for a week. Banking, supermarket, social networking, gaming & email accounts are not at our disposal. Something for sure looks like one hell of a situation to avoid at any cost.

We as a society, are more or less completely connected to the Internet. Online services form part of our socio-economic and personal modes of communication.

How we identify ourselves to these online services is predominantly through passwords as of 2020. Since the password is our primary mode of identifying and using online accounts, it is even more important that we focus on the security requirements of those passwords.

Password Problems

Whether we like it or not, a typical consumer like you and I have more than 20 accounts minimum we use. Twenty different accounts, twenty different passwords have been the problem and we wanted an easy solution out.

Our minds wanted a simple solution and yes including me, we started re-using passwords in our accounts. That issue by itself is a major problem to the safety of our online accounts leading to data breaches, account takeovers, fraudulent financial transactions, leakage of sensitive data, abuse of personal data, etc.

As of today(2020), the highest amounts of data leakages are coming predominantly from poorly configured systems including weak authentications.

In simple terms, poor password security.

Enough of the problems!

How to combat this password problem? Do we have a solution at hand?

Well, the answer to this is, it depends!

There are specific guidelines available for us to refer to and make good use of. NIST has taken the time and effort to provide a clear guideline on how to minimize these password problems through the release of NIST 800-63.

What is the NIST Password Standard

NIST-800 63  was issued as “Digital Identity Guidelines, Authentication and Lifecycle Management” in June 2017. This was a new revision of their digital authentication guidelines incorporating the current and modern requirements of the inter-connected world.

Though it is a 79 page lengthy document, our interest is predominantly on Section 5 “Authenticator and Verifier Requirements” which has laid out quite many specific guidelines on how to handle authentication requirements.

In a nutshell, it is a collation of some best practices for password management including storage, usage, and issuance.

What's new in NIST 800-63?

  1. It supports the user and only the user more.
  2. Attempts to remove obsolete password practices like periodic password change
  3. Gives a good recommendation on the usage of 2FA/MFA
  4. Recommended for including the requirement of avoiding old/poor passwords exposed
  5. Emphasizes the importance of the size of password characters( min and max)
  6. Valid reason needed for password resets 
  7. Clear definitions on the best ways to store passwords with salts

NIST Password Policy

Let us look at in detail on all the 13 items listed above on the new NIST password policy:

No more periodic password resets

Forced Password Change
Forced Password Change

When was the last time you changed your password which was forced by the service provider(E.g. Online bank).

I am pretty sure you would have changed it between 30-90 days based on individual bank policy. But the question is why do we have to change the password if the password is strong and is not compromised.

Also, when we change the password regularly at defined intervals, we tend to introduce weaker passwords. For example, let’s say your password is “[Pr3ttyMeLikesD!$n3y]”.

This is a pretty good password. Yes, I also checked it against exposed passwords in XposedOrNot and the results are positive.

Now as you are forced to change the password, and humans tend to generally resist something which they like more. Maybe the password was emotional and you are want to preserve it. So we just add a number at the end or beginning to look like this “[Pr3ttyMeLikesD!$n3y]9”, as that would satisfy the requirement of the provider. 

But alas!

If your original password is compromised, and if it can be co-related by a targetted attack then the game is over. 

An attacker can easily guess or programmatically find your next password is going to be “[Pr3ttyMeLikesD!$n3y]8”

That is why we should avoid forcing any kind of periodic passwords as it further weakens the password process. 

Does Password Size matter?

We all very well know that it sure matters a lot.

Question is how much is too big & how much is too low?

According to the new guidelines, if a user is creating the password it should be at least 8 characters minimum in length.

The maximum length should be above 64 characters. That means service providers are supposed to raise the maximum length from their regular 20-32 character limitations.

Oh, that raises another question. What would be the passwords character size requirement if the password is created by the service/system?

Luckily it is reduced to 6 characters. I am of the impression, these 6 characters could be set during the initial onboarding. After that, the first login password change would be enforced upon the user.

What should be allowed as a password character?

The answer is pretty straight forward.

In simple terms, allow anything that can be created with the standard keyboard.

It doesn’t stop there.

Spaces are to be allowed as part of passwords.

What about special characters like [[email protected]#$%&*();’,./<>?”:]?

Special characters should not be restricted while creating passwords.

How about Emojis?

😍 Yaaay! Emojis are to be allowed😍

Valid Passwords
Valid Passwords : Source https://smiley.cool

Avoid Password Hints/Clues

In very many places, we are used to typing in secret questions and answers as part of the password recovery and identification process.

Well, that is a strict no-no.

The reason for this restriction is that these questions/answers can be easily guessed. Particularly for a focused person, the answers to these questions would not be so hard to find.

No more are we permitted to allow such hints or clues as part of the password management process.

Nihilistic Password Security Questions

Limit password complexity requirements

Your password should contain alphanumeric characters only. It should also contain one alphabet, one number, and one special character

Service providers should avoid the use of enforcing password complexity. For example “Password!23” is an acceptable password as per the earlier said rule.

However, it is one of the weakest passwords.

Usage of weak passwords could lead to account take over or compromise.

Encourage 2FA/MFA and avoid SMS for authentication

User names and passwords are compromised in data breaches and released. Millions & billions of such exposed records are available on the internet.

Databreaches
Image Courtesy : https://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

Such large data breaches contain one or more of our passwords. For an attacker, it will be a pretty easy task to filter our credentials and compromise other accounts of a specific individual.

Hence it is recommended to have an additional layer of authentication beyond the traditional username/password combinations.

Two-factor authentication(2FA) or Multi-Factor Authentication is an authentication method in which a computer user is granted access only after successfully presenting two or more pieces of evidence to an authentication mechanism.

Earlier used secondary evidence was a unique token sent to the user’s mobile phone. Since SIM swapping and related attacks are very easy these days, it is recommended to avoid SMS based authentication tokens. 

An alternative to this is to use authenticators. The first step would be the username/password combination. The next step token for authentication would be created through an application(soft/hard). 

This method of 2FA or MFA is highly recommended by the security community as it has proven to defeat almost all of the basic password attacks against users.

Limit failure login attempts

Let us say someone wants to log in to your account.

The first and easiest step would be to guess your username and password combination. If the username and password are easily guessable, then the account could be easily compromised.

To avoid that, systems should enforce failure login limits. For example, after the fifth failure login attempt, the system could impose a speed penalty.  With every additional failure, the delay could be increased exponentially, making it harder for the attacker.

Keeping all these scenarios in mind, NIST has recommended defining a specific number after which it will block all such login attempts. This would help ensure the safety of such accounts.

Do not truncate passwords

In earlier days, programmers used to truncate bigger passwords to a maximum of 8-20 characters to minimize their storage requirements. 

Now with the current storage is limited to only hashes. Adding to that, storage cost has decreased considerably.

Also, a hash of a password will vary based on the characters and every change including truncations had a major impact on the strength of the said passwords.

Considering these, NIST has proposed that systems should not truncate passwords and store only their one-way hash. This helps in increasing the strength of the password.

Guide user with password strength indicator

[IMG: Password Strength Indicators]
Well, I am pretty sure you can understand this easily.

The strength of any new password should be communicated with the help of password strength indicators. As most of today’s applications are reachable online, it is highly recommended to show a visual strength indicator.

This visual password strength indicator can be used to guide the user to set a stronger password.

NIST-password-strength

NIST Password Length Guidelines

Password length has been traditionally been kept to a small number of characters to accommodate the storage requirements.

The current cost for storage is considerably less, compared to the earlier time frame in which this was originally drafted. Storage was considered as passwords were stored earlier in plain text which has led to numerous data breaches including but not limited to a,b,c.

Now with the hashes getting stored, the size restrictions are pretty
relaxed to allow strong and complex passwords to be used by folks like
you and me.

Whether a password is “password” or “[email protected][email protected]$sword4ALL”,  the
storage that would be required to store both would practically remain
the same. This would be determined by the hashing algorithm used by the
service provider.

Does size matter? 

You bet it does!

NIST 800-63 Requirements Count
Minimum number of characters to be used in a password (user) 8
Minimum number of characters to be used in a password (system) 6

Key Elements of the NIST Password Requirements for 2020

NIST-password compliant

I had earlier covered a bit more in detail on password security in my earlier post “Ultimate Guide for Password Security“.  That would surely have some informative inputs for folks who are interested in safeguarding your accounts.

Want to have safe passwords for your applications for FREE?

Conclusion:

NIST 800-63 guides the service providers for raising the bar on password security.

In the end, it is still up to us to secure the online accounts through strict control and the use of appropriate password controls.

We need to raise our password standards to meet this requirement.

Let us make it a practice to make use of the guidelines available for a safe and secure environment.

Follow the password security best practices and live a peaceful connected and productive life.

Your action counts! Be Aware & Stay Safe.

Passwords Strength
Source : https://xkcd.com/936/

References

1. NIST Special Publication 800-63B : Digital Identity Guidelines Authentication and Lifecycle Management

2. https://en.wikipedia.org/wiki/Password_policy#cite_note-sp800-63B-13