A recently released draft of the National Institute of Standards and Technology’s digital identity guidelines has met with approval by vendors.
The draft guidelines revise password security recommendations and altering many of the standards and best practices security professionals use when forming policies for their companies.
The new framework recommends, among other things:
- Remove periodic password change requirements
There have been multiple studies that have shown requiring frequent password changes to actually be counterproductive to good password security, said Mike Wilson, founder of PasswordPing. NIST said this guideline was suggested because passwords should be changed when a user wants to change it or if there is indication of breach.
- Drop the algorithmic complexity song and dance
No more arbitrary password complexity requirements needing mixtures of upper case letters, symbols and numbers. Like frequent password changes, it’s been shown repeatedly that these types of restrictions often result in worse passwords, Wilson adds. NIST said If a user wants a password that is just emojis they should be allowed. It’s important to note the storage requirements. Salting, hashing, MAC such that if a password file is obtained by an adversary an offline attack is very difficult to complete.
- Require screening of new passwords against lists of commonly used or compromised passwords
One of the best ways to ratchet up the strength of users’ passwords is to screen them against lists of dictionary passwords and known compromised passwords, he said. NIST adds that dictionary words, user names, repetitive or sequential patterns all should be rejected.
"All three of these recommendations are things we have been advising for some time now and there are now password strength meters that screen for compromised credentials, not just commonly used passwords,” Wilson said. "While it wasn’t explicitly mentioned in the new NIST framework, we contend that another important security practice is periodically checking your user credentials against a list of known compromised credentials."
NIST’s Paul Grassi, one of the authors of the report, noted that many of the above guidelines are now only strong suggestions and are not mandatory yet. The public comment period closed on May 1 and now the draft goes through an internal review process. It is expected to be completed by early to mid summer.
“We look forward to a day in the near future when technology, culture, and user preference allows these requirements to be more broadly accepted. That said, we reviewed a lot of research in the space and determined that composition and expiration did little for security, while absolutely harming user experience. And bad user experience is a vulnerability in our minds,” he said. “We need technology to support this (not all password stores do), so we didn’t want to create requirements that agencies had no chance of meeting due to tech limitations.”
Users usually find a way around restrictions like composition rules by substituting special characters for alphas. Because the bad guys already know all of the tricks, this adds very little, if nothing, to the true entropy of a password, he said. “Everyone knows that an exclamation point is a 1, or an I, or the last character of a password. $ is an S or a 5. If we use these well-known tricks, we aren’t fooling any adversary. We are simply fooling the database that stores passwords into thinking the user did something good.”
In terms of new requirements for passwords, he said NIST is excited to introduce password storage requirements, which makes an offline attack much harder. He said fundamentally the new revision does a better job recognizing the password has a valid role to play, if done right. “Yet we provided a slew of new options that gives agencies the ability to leverage the tools that users may already have, like a smartphone, or an authentication app, or a security key. This allows agencies to save money by not having to issue a physical device, but increase their security posture by accepting the strong authenticators users already have.”
Phil Dunkelberger, CEO of Nok Nok Labs, said the username and password paradigm is well past its expiration date. Increasing password complexity requirements and requiring frequent resets adds only marginal security while dramatically decreasing usability.
Phil Dunkelberger, CEO of Nok Nok Labs
“Most security professionals will acknowledge that while such policies look good on paper, they put a cognitive load on end users who respond by repeating passwords across sites and other measures to cope that dramatically weaken overall security. We are glad to see national organizations like NIST recommend an update and change to a paradigm that no longer works,” he said.
Ran Shulkind, co-founder and chief product officer at SecuredTouch, said the new password guidelines make a lot of sense. “The volume of passwords people had to manage and the ‘special characters’ ended up making things less secure than they should have been. However, passwords are actually becoming much less important than they used to be. Threats are continuing to increase, and users are getting tired of entering usernames, passwords, and additional identifying codes – no matter the structure.”
Multifactor authentication (MFA) is becoming mandated in some industries and is voluntarily being adopted in others. It adds another layer of security to include something you know (password), something you have (token or SMS), or something you are (fingerprint or behavior), Shulkind said.
“Ultimately, it’s all about balancing security and the user experience. While MFA does enhance security, it can discourage the user from using the app or performing the transaction. That’s why organizations are looking for more user-friendly components, like behavioral biometrics to reduce friction, allowing for smoother device interactions and higher risk transactions,” he said.
Mike Kail, co-founder and CIO at Cybric, said behavioral biometrics, which analyzes and authenticates based on users’ physical interactions with their devices (finger pressure, typing speed, finger size) will eventually phase out the need for passwords completely.
"I feel that the updates in the new framework are a step in the right, tactical direction, especially the password rotation change requirements,” he said.
He would like to see more strategic approaches such as requiring a Cloud IdP/SSO provider and monitor anomalous activity. He also mentioned providing users with a password management tool.
Barry Shteiman, director of threat research at Exabeam, said this is a very positive change in the NIST standard. “Credential stuffing (using compromised credential DBs and replay them against authentication mechanisms) has become very common, especially with breach information being sold or sometimes published online.”
Richard Henderson, global security strategist at Absolute believes this change also makes dictionary and rainbow attacks less useful to test credentials. “Sadly, we’ve lived through many years of more and more confusing and contradictory advice when it comes to creating and using passwords, and that has led to a hodge-podge of implementations and confusion among regular internet users.”
“When you add to this the simple notion that there are still a lot of sites out there with terrible password policies or even worse, still storing passwords in plaintext, are we really surprised that people’s habits lead to widespread password reuse or weak passwords?,” Henderson pondered.
He said the most important piece of advice is continual scan and intake of known vulnerable and stolen password lists to compare against. “Beyond the idea of potentially minimizing the risk of password reuse and creating weaker passwords, it can alert companies to the potential of a breach of one of their users. If a password like 247KangarooKiwi! shows up on a compromised list somewhere, and that’s a password one of your users uses, it’s an awful large red flag to take a look at their corporate or work endpoint devices and look for evidence of compromise.”
NIST’s recommendation to allow the full ASCII and Unicode keyspaces is also good, as it increases the keyspace for attackers using brute forcing attempts to break, he said.
Troy Gill, manager of security research at AppRiver, remembers hearing frequently that passwords were dead. “New authentication technologies have come a long way in the past decade. However, the massive surge in online service with the majority of those services implementing passwords is leading to a bit of a password critical mass,” he said.
He noted that these recommendations also are largely in sync with guidelines laid out last year by the UK’s NCSC.
“In a perfect world, it would be a great idea to require passwords to be changed every few months. But as humans we have inherent limitations with our ‘wetware’ that can prevent most of us from doing what we know is most secure. Instead, we substitute something the meets the minimum requirements and can be managed with the most ease,” he said. “Let’s face it, there are a staggering number of unique passwords that people are required to remember today, with most requiring frequent changes that also have to be memorized.
He said this constant churn inevitably leads to users implementing common, predictable passwords, recording them in unsecured locations, reusing passwords on multiple online accounts, and using only slight variations of prior passwords. He agreed that 30/60/90 day password changes are counterproductive.
He would like to see a more “event driven” approach to when password resets are required as opposed to routine schedule. For example, if an organization is at all suspicious of a breach then requiring password changes across the board would be appropriate. Other events warranting a password change would include a particular user logging in from a unrecognized device or an unexpected location. “Investment in the ability to detect these types of events more easily can build a stronger security posture,” he said.
Gill said it’s true that the attempt to require more algorithmic complexity most often has very predictable results. Like the example that NIST uses in its guidelines of the password “password” morphing into “password1” and later “password1!”.
“While the last iteration may be technically more complex it is essentially just as weak as the original as it is both commonly used and computationally predictable. I would also like to see the term ‘password’ replaced with ‘passphrase’ as lengthy passphrases can be both easier to remember and more difficult to crack in a brute force attack,” he said.
He said using lists of both common passwords and compromised passwords can be quite simple to implement and can make a marked improvement. Organizations should also focus some efforts on monitoring web locations, where breached passwords are likely to appear, for lists containing any of their users/customers.
Eric Avigdor, director of product management at Gemalto, noted that passwords have always been a weak security tool, and conventional wisdom has been that consumers should create complex passwords that they update frequently.
“The reality is that passwords are weak no matter how often they are changed or how difficult they are, and people usually have only a variant of one or two passwords. Man in the middle or man in the browser hacks can take your password even if it is extremely lengthy and complicated – IT administrators can see your passwords, your bank can see your passwords,” he said.
He said the guidelines recognize that the way to solve the password problem is to accept that passwords are weak and add on other complementary factors of authentication, whether mobile or hardware OTP tokens as well as PKI based USB tokens or smart cards.
Avigdor mentioned more reliance on the usage of PKI tokens with a smart card. This involves entering a PIN which is never revealed to anyone, except the owner of the smart card.