Updates to NIST’s Digital Identity Guidelines
Most company password policies employ a few security measures that, for a long time, have been largely regarded as unchallenged, logical best practices. These measures are typically: password rotations every 90 days, complexity requirements (upper, lower, number, and special characters), etc. For Domain Administrators and End-Users alike, these restrictions have long been the bane of our password management experience.
But let’s admit it, you probably have terrible passwords; we all do. According to a 2017 survey by Keeper Security, most people have a single password that they use across all systems. We all know that this password must rotate periodically on many platforms, but that isn’t typically a big issue. Why? Because many employees also know exactly how to get around this. We replace a letter with a similar special character (i.e. S vs $ or I vs.!), increment the number at the end by 1, or use a different special character before the number at the end. Rinse and repeat. None of this behavior is beneficial for security. Be honest, have I just described your password for your social media, online banking, work computer, home computer, and iTunes account? If so, you are not alone.
Conventional wisdom has long said that increased password complexity and periodic password resets can only be a good thing. More complex and more frequent rotations lead to strong passwords, right? In reality, complex password requirements and frequent rotation of passwords are doing more harm than good. The newly updated NIST guidelines on digital identity controls have caused a lot of chatter within the security community.
They are focused on making users’ lives easier, not harder, and may have a real impact on how your organization manages its password policy.
Making users reset their passwords every few months (i.e., the proverbial 90-day rotation) is a classic security measure. The thinking here is that any unauthorized person who obtained a user’s password will soon be locked out when the password is forced to change. According to research, NIST guidelines and, let’s be honest, our own password habits, this does not actually work. Users tend to change their passwords in predictable and convenient patterns. So, if a hacker already knows one of a user’s previous passwords, it is not going to be difficult for them to crack the new one in most cases.
The new NIST guidelines reveal an important shift in the password policy paradigm: easier, more convenient security will, in turn, make more people take better security precautions. NIST has put forward the following recommendations of what to exclude from your password management policy:
1. There should not be any composition rules: No more "your password must include an upper, lower, special and numeric character". 2. No more periodic password expirations without reason: The only time passwords should be changed is when they have been compromised (either the password database or through individual phising) or forgotten by the user. 3. No more password hints: Users tend to leave hints like "name of your dog" or "rhymes with blassword" which are easily guessed using social media or common sense.
Now, there has been an interesting reaction from companies who hear about these changes. Delap has fielded a few inquiries along the lines of, “I just saw NIST’s new guidelines and I was wondering if it would be okay to remove rotations and complexity requirements at my organization?” The problem is that this question is overlooking a few key elements of the NIST guidelines. They do not stop at just recommending that these password security controls are turned off. Importantly, NIST has also put forth a strengthened list of controls that companies should be implementing in addition to removing rotations and complexity requirements:
1. Forbid commonly used passwords: The updated NIST guidelines require that every new password is checked against a “blacklist” of commonly used passwords, dictionary words, repetitive or sequential strings, passwords taken from prior security breaches and variations of the company name / marketing material. 2. Password length is critical: Passwords must be a minimum of 8 characters. Further, a maximum of 64 characters should be allowed at least. No more, "sorry, your password must be less than 16 characters". 3. Limit the number of password attempts: Implement a lockout threshold of invalid password attempts. This is an effective way to prevent brute-force attacks on passwords. 4. Allow "paste" in password fields: Use of password managers and very long, complex passwords are becoming more widespread. Allowing these often long, computer generated passwords to be pasted in from a manager is advantageous. 5. Ensure that passwords are stored securely: NIST guidelines require that passwords are salted with at least 32 bits of data and hashed with a one-way key derivation function. 6. Implement multi-factor authentication: requiring employees to authenticate something they know (like a password) and something they have (like a token) or something you are (like a fingerprint) drastically decreases the probability of a successful attack.
Yes, NIST guidelines are now recommending the removal of periodic password rotations and complexity requirements. However, those recommendations are not presented as the single, end-all measure that should be implemented. It is actually far from it! Adopting these new password guidelines needs to occur alongside other stringent and secure password controls as noted above. Additionally, initial and ongoing employee education on how to protect and create secure passwords is necessary.
So, before we all rejoice at not having to change our password every time we get that pesky email from the IT Department, we need to ensure that our entire user identity and access management environment is secure. If you, your IT Department or anyone else has questions regarding these newly updated guidelines, please reach out to the Delap Cyber Team!