Almost every online interaction, whether it be a financial transaction, company login, or a simple email conversation, requires the use of a password. With data breaches becoming more common and prolific, passwords have evolved into complex strings of characters that are difficult to remember. Ironically, this conundrum has resulted in stores selling password books for recording all the numerous credentials individuals use on a daily basis; however, this defeats the very purpose of passwords. Consequently, the National Institute of Science and Technology (NIST) began researching past data breaches and experimenting with various password structures to identify better authentication practices. Besides providing NIST definitions for cloud computing, the NIST has also now provided guidelines to create safer passwords. Do you know how to create a safe and effective password for your profiles? Learn about NIST password guidelines and NIST compliance by reading on.
New NIST Password Guidelines
A 2017 Data Breach Investigations Report found that 81% of hacking breaches exploited stolen or weak passwords. With each new breach, the question of what constitutes a strong password resurfaces. Generally, a strong password refers to a password that resists easy access by trial and guesswork. However, such definitions are vague and don’t necessarily help users. In the early 2000s, the common recommendation was to make passwords as random as possible, adding uppercase, lowercase, numbers and symbols to the logins. Then, experts began encouraging frequent password changes. As the passwords were increasingly difficult to remember, most people simply changed one number, often in a sequence.
However, newer research now indicates that such processes may not be as safe as initially thought, prompting NIST to re-evaluate its standards. The first revelation involved the frequency of password changes. Some entities require users to change their credentials every 90 days. In order to remember the new passwords, people tend to change only one or two characters. If only one number is changed in a sequence, it is easy for threat actors to obtain other similar account numbers or re-access a system after a compromised password is updated. Furthermore, password complexity is not as full proof as initially thought. Rather, research suggests computers may find it easier to guess passwords that are random versus complex phrases. NIST now acknowledges that requiring a certain mix of characters is not absolutely necessary, although incorporating symbols or numbers into passphrases is still recommended. Additionally, using a strategy called Multi-Factor Identification (MFA) strengthens authentication security, although convenience is slightly reduced. With these new revelations in mind, NIST drafted new password guidelines including a three-step structure for improving password security.
NIST Password Basics
Part of NISTs goal is to educate enterprises and employees in addition to providing recommendations. Consequently, before going into the details of NISTs password guidelines, it is worth reviewing a few key definitions password, identification, and authentication. NIST defines these three terms as follows:
A password is a secret (typically a character string) that a claimant uses to authenticate its identity.
Identification is a claimant presenting an identifier that indicates a user identity for the system.
Authentication refers to the process of establishing confidence in the validity of a claimants presented identifier, usually as a prerequisite for granting access to resources in an information system.
NISTs guidelines encompass the many forms of passwords and recommends a variety are used. For example, a Personal Identification Number (PIN), a string of numbers generally 4-6 characters long, may be used for physical system access. Likewise, passwords or passphrases may be used for devices or account access. Different systems will require different authentication methods, varying from single-factor, Two Factor (2FA), or Multi-Factor Identification (MFA).
More recently, the concept of identity proofing has also surfaced. This refers to verifying a persons online identity is linked with the same, legitimate real world identity. Claimants must be examined through verification to ensure they are the subscribers they claim to be. Despite the lexicon, the overarching point is that the cyberworld is full of fake identities, and it is vital to make sure authentication processes only allow legitimate access.
Source: NIST Digital Identity Guidelines
Multi-Factor Identification refers to utilizing two or more forms of identification before allowing access to a system. Most people have experienced this in some form as it is becoming more and more common. For example, some WiFi networks require users to log in (with a user name and password) and then input a code they receive via a text message. Thus, users must complete two steps before entering the system. Like identity proofing, the goal is to verify the person or proxy signing in is legitimate.
More specifically, MFA has three forms or options from which various combinations can be derived. These include something you know, something you have, or something you are. In addition, somewhere you are, something you can do, something you exhibit, and someone you know may also be used. However, the first three remain the most commonly implemented.
Something you know refers to an individual’s knowledge, like a password and username or a question and answer format. Something you have refers to a physical access device or token. Initially, this concept encompassed only tangible items, like key-cards, but now it includes virtual applications as well, like Google Authenticator. Lastly, something you are refers to biometrics, such as retina scans and fingerprints. Ultimately, the combination of these forms utilized remains at the implementers discretion.
NIST Password Guidance
The dichotomy of passwords complexity versus recallability is difficult to solve. Long passwords designed to bolster security can actually decrease it if the passwords are so long individuals start to use sticky notes to remember them. Various authentication processes have benefits and drawbacks. In an attempt to find a balance between all such methods, NIST formulated three password guidelines. Like its Cyber Security Framework (CSF), these guidelines are broad, general recommendations. Utilizing them will keep your company up to date on the most current research regarding authentication security. The guidelines focus on clear definitions, implementation, and education with the objective of balancing length versus recall.
1) Do not rely solely on passwords Rather than requiring employees to log in with a simple username and password, NIST suggests using MFA. Although it may take an extra few minutes to complete, the added layer of security will further reduce the vulnerability of a system and better protect data.
2) Use passphrases versus passwords By using a phrase that is well-known or holds special meaning, a user is easily able to remember the password, while a computer will need more time to guess it. The passphrase concept involves picking a phrase unique to an individual’s experiences and modifying it by interspersing numbers, symbols, or case changes.
3) Protect most valued accounts Although NIST highly recommends all accounts utilize MFA, it notes that different accounts will require different levels of security. Before overhauling any authentication practices, entities should first identify the priority of different systems. High value accounts should each be designated a unique passphrase, rather than a general system access code. For example, physical control systems (e.g., fire suppression system) would likely require a PIN as it is easier to input the code quickly and with greater accuracy. With such systems, human safety necessitates speed. In contrast, a computer storing user financial data or Personal Identifying Information (PII) would likely require a strong passphrase.
NIST Password Complexity Guidelines
As mentioned above, NIST now takes a simpler approach to passwords/phrases, focusing more on length and content versus complexity (e.g., numerous numbers and symbols). Length remains the primary factor for creating a password. The longer the password, the greater the defense against brute force or dictionary attacks. Rather than quoting an exact number of characters individuals should use, NIST only recommends a bottom line at least 6 digits for PINs and 8 characters for user-chosen passwords. Furthermore, NIST encourages matching the length to the level of threat. The greater the threat, the more complex the password. This integrates well with the passphrase concept, as phrases allow for complexity and flexibility. For example, lets say a user chose the phrase I do not like green eggs and ham. Translated into a passphrase, the phrase may take the form I!=likegreeneggs&ham. The password is long and includes capitals and symbols, but the placement of the symbols are intuitive and fit well into the phrase, making it easier to recall. Additionally, the symbols can be removed or adjusted based on the threat level. Another complexity concern is password duplicity. NIST recommends all passwords be compared to a list of previously compromised passwords, a dictionary database (governed by the chosen length), and to a most used password list. The bottom line is that traditional, long, complex passwords are more likely to be written down; it is better to rely on passphrases in conjunction with password vetting, hashing, and rate limiting.
When passwords were initially implemented, they were simply stored as plain text words. Users input their logins and the computer checked for the exact match. Now, with the threat actors hacking into systems frequently, it is no longer safe to store passwords in their plain text formats. Consequently, many systems utilize hashing algorithms. In the most basic sense, password hashing could be described as a one-way street that is, passwords are entered but the process cannot be reversed to obtain the input. Even if the hash value is obtained, the original password is still secure.
When hashed, each character in a password or passphrase is linked with a string of values (binary numbers). Then, the system puts the binary numbers through a hashing algorithm. Finally, the security system stores the hash value versus the plain text format. When a password is input, the system hashes the password and then compares it to the previously stored hash value. In this way, if a password storage receptacle is breached, the plaintext formats are not compromised. However, if hackers use a hashing algorithm on common passwords and save the hash values, they can still compromise a system. For this reason, NISTs recommendation to avoid common passwords and put all proposed passwords through a used password database check remains an important step in password security implementation. Likewise, choosing a longer password means a longer hash value, making it extremely time consuming to launch a bruteforce attack.
NIST Password Management
Managing authentication practices requires a multi-step process. Although the order of assessment may vary, every entity must complete certain stages, including configuring passwords, determining expiration limits, formulating policies, and understanding threats. Configuration involves considering how to best thwart password guessing or cracking. For example, refraining from creating passwords with personal information, like a birth date, would reduce the likelihood of a successful guess attack.
In the age of social media, personal information is readily available, allowing threat actors to glean sufficient information and to not only guess passwords but also to answer security questions. Likewise, using cryptographic algorithms and hashing will hinder password cracking. Setting expiration limits (i.e., how often passwords must be reset) is a tricky problem. If passwords are changed too frequently, employees are more likely to choose simpler passwords or only slightly change passwords to make recalling them easier.
To find the best expiration limit, NIST recommends considering the available secure password storage methods, frequency of authentication, threats, and the effectiveness/ineffectiveness of current password expiration requirements. Formulated policies should encompass all of the above points and compile them into an understandable format.
It is vital for personnel to comprehend the best practices for authentication and to realize that deviations, even for convenience, can have severe repercussions. While it may be tempting to incorporate personal information into passwords or take shortcuts on the complexity of login protocols, it is always better to err on the side of caution than to only react after a system has been compromised.
In the event of a breach, it is also important to have a password reset system in place. From implementation to support, password management is a process that never ends and should constantly be re-evaluated for weaknesses.
How to Get Started
NISTs new password recommendations offer insight into security research over the last few years. They summarize the key points and help executives as well as employees better understand the current authentication threats and best practices. To learn more about MFA, identity management, or cybersecurity solutions, contact RSI Security for a free consultation.