NIST – Passwords, Old And Busted; Memorized Secrets, New Hotness
The National Institute of Standards and Technology (NIST) released a new draft of its Digital Identity Guidelines. The Authentication and Lifecycle Management document, special publication 800-63-3, is one of the evolution documents to strengthen the standards in the growing digital landscape. This publication is more special than others because NIST is taking on changing passwords for good. NIST no longer refers to the knowledge based form as passwords. They have ushered in a new term that better represents what they recommend they should become, memorized secrets.
The publication will have a wide effect across businesses, software and users if the adoption becomes widespread, which it should. The biggest change is to reduce or remove the old practice of forcing password changes on a forced schedule.
Most companies have a password policy as such:
- Single string/word
- More than 6 characters
- A mix of letters, number or special character
- Forced to be changed every 60 or 90 days.
As a security expert I have always voice opposition to the forced changed passwords. When you look at the practice you can see it actually makes passwords weaker, not stronger. The majority of users in a company do not have extensive IT backgrounds. It’s by nature, almost subconsciously, to choose phrases that are easiest to remember but at the minimal length. When you introduce forced changes that retention is disrupted and the minimal approach is amplified. This increases poor password construction, password reuse (even with history tracking), poor password management as people will be more inclined to write them down, and causes productivity issues as forgotten passwords increase therefore increasing costs on a help desk.
Instead you reduce the forced changes and increase the ability to be more passphrase based. Humans can remember structured phrases far better than S!ngM3in.
NIST is finally looking to change this through memorized secrets.
Here are some highlights.
When users create and change memorized secrets:
Clearly communicate information on how to create and change memorized secrets.
Clearly communicate memorized secret requirements.
Allow at least 64 characters in length to support the use of passphrases. Encourage users to make memorized secrets as lengthy as they want, using any characters they like (including spaces), thus aiding memorization.
Do not impose other composition rules (e.g. mixtures of different character types) on memorized secrets.
Do not require that memorized secrets be changed arbitrarily (e.g., periodically) unless there is a user request or evidence of authenticator compromise.
Provide clear, meaningful and actionable feedback when chosen passwords are rejected (e.g., when it appears on a “black list” of unacceptable passwords or has been used previously). Advise users that they need to select a different secret because their previous choice was commonly used.
One important thing to take note with this publication. Just because NIST is recommending removing forced password changes does not mean you can or should shut that off. There are compensating factors that need to be implemented to offset this. Memorized secrets is a far stronger approach to the string than a single word. It’s the balance of security that needs to happen through the process, not reduce one step and not improve the others.
If and when this publication becomes final it will have a sweeping impact. From operating system features, company IT operations to security assessments and audits. Change is tough but this one will make things more secure if implemented properly and uniformly.
End of line.