Passwords are the first line of defense for enterprises against security breaches. A secure network environment requires its users to use strong passwords. Password policies are present to help the system administrators ensure that users in the network set up complex passwords. However, a recent global security report states that more than 77 percent of the hacked passwords comply with Active Directory’s default password policy.
In the process of making passwords complex for hackers to crack, policies have made passwords difficult for users to remember. The password complexity problem has reached new heights that National Institute of Standards and Technology (NIST), a federal agency regularly releases guidelines on organizational password management requirements.
What is NIST and what do they do?
National Insitute of Standards and Technology (NIST) is a non-regulatory agency that is funded by the United States’ Department of Commerce. It has been in operation since 1901 and aims at providing advanced measurement standards for industries. Over the years NIST has grown to become an authoritative voice on establishing standards and best practices on securing digital identities. Since NIST is a federal agency, it regulates all the governmental organizations of the United States. It is mandatory for government agencies of the United States like the FBI, USDA, and NSA to adhere to the NIST guidelines.
Although not necessary, companies outside of the federal realm can choose to adopt the practices that are recommended by NIST. These standards are used by companies as a baseline on top of which their security policy is built. Since the guidelines are meticulously put together by researchers, companies have no problem with following them.
Recently, NIST released a publication that contains new and updated password guidelines for 2019. The NIST Special Publication 800-63-3 outlines the best practices when it comes to framing password policies in today’s ever-changing environment.
What you need to know about the new guidelines
Traditional password security practices have always revolved around the strategy of making sure that all passwords meet certain complexity requirements. The new guidelines are focused at making users configure passwords that are intuitive and easier to remember. Many of the recommendations go right against the conventional password requirements that we have grown accustomed to. Here is a summary of the revised password requirements as suggested by NIST.
Password length and complexity
NIST suggests that manually configured passwords should be at least 8 characters long. The new guidelines add that if a password is system configured, they should contain at least 6 characters. The guidelines also state that passwords can be entirely numeric in nature. The maximum character length threshold has been bumped up to at least 64. This allows users to set passphrases instead of passwords. Passphrases are generally difficult to crack but can be remembered and recalled easily.
No other password complexity requirements (include numbers, special characters, upper-case and lower case characters) are to be enforced. Though this might seem a little unorthodox, it makes the process of configuring passwords easier thereby enabling users to set actually strong passwords that they can recall with ease.
Support for ASCII and Unicode characters
The new guidelines prescribes that passwords can contain all printable ASCII and Unicode characters. The space character is also a recognized ASCII key and hence users can include space in their passphrases.
Periodic password resets
It is common practice for administrators to make users reset their passwords every now and then. When users are forced to change their passwords regularly, they use their old passwords with minor variations. Users tend to change their passwords in predictable patterns. And passwords that change with predictable patterns are easier to crack. Regular password resets do more harm than good for security. The new guidelines propose that users shouldn’t be forced to change their passwords unless necessary.
Hint questions
Hint questions are a common way to recover accounts in case the user forgets their passwords. Users can successfully reset their password if they answer a self-chosen question.
Most of the available questions are pretty rudimentary and with little effort anyone can find their answers. With most of user’s personal data available on social networking sites, hackers can easily find answers to questions like “What the name of your first pet?” or “Which city were you born in?” Social engineering hacks have come a long way and hence NIST no longer recommends the use of such security questions.
Remove SMS-based OTP authentication in 2FA
The new NIST guidelines do not advocate authentication through OTP sent via SMS. This is because SMS channels can be hacked easily using mobile malware with which hackers can easily intercept messages sent to a phone. Besides this, SMS authentication requires having a mobile device always in possession. NIST recommends the use of third-party apps like Google Authenticator to generate codes instead of relying on SMS channels.
Permit cut and paste
Most computers in an enterprise network do not allow users to cut-and-paste passwords onto fields. This prevents users from using password managers to generate strong passwords for them. The new NIST guidelines advise network administrators to permit the cut-and-paste function so that users can depend on automated password managers to prompt them with secure passwords whenever necessary.
Takeaways
Although the new guidelines recommended by NIST might seem counter intuitive to our general wisdom on password security, they are an effort to make passwords more user-friendly. Passwords aren’t going away anytime soon and the new guideline by NIST is only aiming to make authentication more comfortable and secure. Over time, the NIST guidelines have become influential in the private sector. Adopting the recommended practices will only put companies ahead in terms of security.