NIST Goes Soft on Passwords

The new NIST guide on Digital Identity Guidelines (800-36-3) is currently being drafted, and there are quite a few changes. While I wouldn’t say it’s actually gone soft on passwords, I will tell you that, if you’re tired of pulling your hair out every time you change your password, YOU were not alone. And NIST was clearly listening to commenters.

NIST (National Institute for Standards and Technology) came out of their box this time, with some pretty enlightened perspectives on how the real world operates. The proposed changes were/are very human based, and based heavily on the reality of how we as people think toward security. Or, should I say, how much we think security is an inconvenience, therefore we tend to ignore the steps we should take.  Built with that in mind, they set out to revamp the guides to be more user friendly.

Keep in mind of course; the draft has to go through an extensive process before adoption, so anything we say here, could be changed before final release.

The primary idea with making the guidelines more user friendly is this: When guidelines are too difficult to follow, people simply ignore them and opt for “whatever.” The entire process then becomes even less secure because no attention to was paid to security at all. If the experience of implementing security was horrible then it was completely useless. And this was the case more often than not.

Additionally, it’s important to note that simplifying the guidelines also eliminated complexities that were deemed unnecessary for security purposes.

So, what are the guides shaping up to look like?

More user friendly.
Realistic expectations placed on the users.
Shift most of the heavy lifting onto the verifier.
Simplify the process. Eliminate unnecessary hurdles for the users.

What changed?

Longer passwords:  Minimum of 8 characters, with a max set to no less than 64 characters. (Suggested)
I know what you’re thinking, that’s not more user friendly.  But actually it is, once you add up the other changes. Remember, the idea here is simplify AND maintain security. A long password beats a short complex one. And they’re trying to remove complexity in hopes that people will use a longer, more memorable password.

Disallowing common passwords: (Dictionary)  Disallowing commonly used or commonly cracked passwords is probably one of the easiest ways to prevent a user from making a simple mistake. Providing the user doesn’t cheat and simply append the password with a “1.”

Allowing all printed ASCII characters:  Creating a passphrase is much easier if you can use all the characters you want.  In this change spaces and emojis (Unicode) will be accepted. In this guide, verifiers are responsible for hashing field entries to prevent SQL injections (a.k.a. Hex encoding. Or, escaping every character).

No more Hints!: No more password hints or knowledge-based authentication (KBA). This is a good thing. Most of the time people were making the hint so easy that there was very little use to the password at all.  Frequently the verifier would ask a set of standard questions (KBAs) like, “What is your pet’s name?” These are often easily acquired from social media sites and are frequently reused in multiple locations.

No more complex creations:  The use of composition rules, e.g. – must contain 2 numbers, 3 special characters, 5 capital letters etc, etc… is no longer going to be the norm, and wasn’t really worth the added headache and “forgotten password” issues. Instead they are pushing for the use of Dictionary blacklisting.
NOTE: The use of a Dictionary is not without its flaws if users start appending their words with simple entries.

Make the verifier do more of the heavy lifting: In the hope of making things easier on the users, it’s become necessary to put more of the security burden on the verifier. By this they mean, they want the verifier to be more responsible for the protection of stored passwords.  Requiring the passwords to use 32-bit salt hashes and follow the NIST SP 800-131A rev 1 guidelines.

Displaying the password:  The guide would like to offer the suggestion that people be able to see the password as they type it. This is a huge help to anyone, period.  Even the guy looking over your shoulder.

No more password expiration:  No longer require password expiration dates.  The thought behind this is that, when people are forced to change their passwords frequently, they use weaker passwords or reuse passwords on a rotation. Neither is optimal.

No more SMS authentication:  SMS is inherently insecure due to the mobile platforms security issues. Yet SMS becomes more and more widely used every day. While there are other Out-of-Band devices, most do not suffer the continuous breaches and holes that arise from a mobile phone. So, no more SMS as 2FA (two-factor authentication).

As you can see, the new guidelines are very user centric. It seems that they finally understand that people are people, and when it comes to security, they’d rather not bother. By making it easier on the user and putting more of the burden on the verifier, people might actually take an extra second to follow one rule, rather than follow 20.

Good luck out there.

Be the first to comment

Leave a Reply

Your email address will not be published.


twelve − eleven =