Changes to the US National Institute of Standards and Technology (NIST) password guidelines were welcomed as long overdue. Security professionals criticized the old guidelines, which recommended a mix of numbers, letters and special characters that are changed periodically.
When I read the new document, I was surprised that it doesn’t account for very common attacks. In short, NIST guidance leaves people who rely solely upon passwords for authentication, which seems to be a majority of accounts, more vulnerable.
Most of the NIST document focuses not on passwords, but on other authentication mechanisms such as token authentication. Passwords as a sole authenticator are only allowed for low-level accounts. This is generally a risk-based decision, although the reality is that most accounts rely on password-only authentication.
Regarding passwords, what is not changed is that easily guessed passwords such as dictionary words are not allowed. They do state that there should be rate limiting for log-on attempts to lock out people who attempt brute force password guesses. However, this is also one the most annoying password security features, and much more frequently locks out legitimate users than stops attacks.
The major change that everyone is applauding is that special characters should not be required as long as the password is not an easily guessed word. The new guidance also recommends not requiring periodic password changes.
This looks great, as you don’t have to change passwords frequently. While I don’t necessarily bemoan the lack of special characters, I do take exception with the lack of password changes in the absence of additional authentication mechanisms.
So how much of this new guidance will be appropriate for your company’s password policy? To answer that, let’s first look at how accounts are usually compromised. Most authentication attacks appear to result from phishing attacks or reuse of stolen password files. The hacks of credentials from Yahoo! and similar sites results in postings of account credentials on the dark web. Criminals then take these credentials and attempt to use them on banking websites or companies if the credentials are tied to corporate accounts. Whether it is through phishing or stolen accounts, the strength or composition of the compromised password is irrelevant.
[Related: The 6 best password managers]
The new guidelines potentially make it simpler for password cracking tools to run against compromised password files. Bill Burr, the author of the original NIST guidelines, stated that an eight-character password with special characters would be cracked faster than a 20-character password without special characters, but there is nothing in the new guidance requiring more than eight characters anyway.
A practical password policy
Here’s what I suggest for a reasonable approach to a practical, workable password policy:
- Implement muti-factor authentication for all accounts
- Create awareness campaigns for password security that discourage reusing passwords and writing down passwords, and instructs employees to protect multi-factor authentication devices and passwords.
- Allow users to use any password of their choosing.
If you do not implement multi-factor authentication:
- Continue to enforce periodic password changes
- Implement NIST guidance preventing guessable passwords
- Implement password login rate limiting
- Implement awareness campaigns that highlight how to create strong, but memorable passwords, prohibit passwords reuse, protect the passwords, and prevent phishing
- If you do not require passwords with special characters, passwords need to be longer to provide the same level of security
While I find forced password changes annoying, waiting until you know there is a password compromise to change passwords is ignorant. For example, you will not be aware when people use their organizational credentials for Pokemon Go accounts, as many do.
If that site is compromised and an employee has reused company passwords on it, your organization is now vulnerable. Even if the employee doesn’t use your organization’s email address, your organization is still vulnerable in a targeted attack if the password was reused across accounts. If you do not force periodic password changes, your organization is vulnerable as long as the employee has a valid account at the organization.
The case for multifactor authentication
The solution to exponentially reduce the risk to these attacks is to implement multifactor authentication. The NIST document advocates other authentication schemes besides passwords, a message missed by the media and readers giddy about not having to change or create complex passwords.
The reality is that most companies will not implement more costly or technically complicated authentication tools for a variety of reasons. Even security professionals seem to believe that the presence of those tools gives them a green light to weaken security. If people would actually follow the NIST guidance in its entirety, there would be better security. That includes reading and acting on the proverbial fine print that mitigates weaker passwords.