Passwords… it’s no secret; most of us are really bad at creating and maintaining passwords. In fact, 81% of hacking related breaches leveraged either stolen or weak passwords. But unfortunately, passwords won’t go away any time soon. Almost every resource, application, web site, and the like requires some form of username and password. Because of this, it’s no surprise that almost all of us struggle to follow recommended password standards by many security experts.
At the same time, attackers and their tools are becoming more and more sophisticated, enabling them to more easily steal, decrypt and/or brute force passwords, which allows them to fraudulently utilize accounts, steal data, and wreak havoc.
While this might sound hopeless, it’s not all that bad. What is bad is the confusing and conflicting information published on the Internet regarding passwords; many of which are taken out of context for a specific environment or scenario. This leaves most of us wondering, “What really is the best way to create, maintain and manage our passwords?”
Traditional standards for passwords have historically had the following requirements across most industries and platforms:
- Must be no less than 8 alpha/numeric characters
- Must contain at least one special character (!@#$%^&*)
- Must contain at least one number
- Must contain at least one upper case letter
- Must contain at least one lower case letter
In addition to these initial requirements, it’s typical for passwords to be changed every ninety (90) days, and new passwords cannot repeat any of the last several passwords; meaning, you must create a completely unique password every time it’s changed.
This has created challenges for many, given the ever-increasing technological world that we live in where almost everything we use requires a password. This leads to the creation of easily guessable passwords, not only by other humans, but by computers; specifically, those computers used by an attacker.
This trend of easily guessable passwords has finally caught up to us and one of the primary reasons for the National Institute of Standards and Technology (NIST) to try and rethink the way we create and utilize passwords.
In June of 2017, NIST released Special Publication 800-63 Revision 3, Digital Identity Guidelines, which turned the industry on its head; at least for some. While these, and most other NIST guidelines are not specifically intended for use outside of federal agencies, many groups look to NIST guidelines and standards as a measure for “best practices;” even though they have been developed with a specific environment in mind – in this case, IT systems used by the federal government.
If you search the Internet for these new guidelines, or someone mentions it in passing, you’ll most likely hear that password standards have eased up tremendously. Specifically, you may hear:
- No more password expirations
- No more composition/complexity rules
- No password hints
- No more security questions
The list goes on. There are numerous articles in recent months that claim several different variations about what NIST has published in its new standard. At best, any of these which may be true to some degree, have been taken out of context of the NIST 800-63 publication.
First and foremost, any password creation “standards” referenced in this publication are part of a much larger “Digital Identity Model” developed by NIST. This model requires that each application or resource undergo a comprehensive risk assessment (defined within the NIST Risk Management Framework) to determine the associated risks. These risks aid in determining a multitude of factors required for identity proofing and authentication requirements. Based on these factors, applications and resources are then assigned an Authenticator Assurance Level (AAL), which determines the breadth and depth of requirements for identify proofing and authentication.
Herein lies the requirements which have been subsequently pulled out of context. While some password (referred to as “memorized secrets” by NIST) guidelines have been eased up, the context in which password only accounts are used has dramatically changed. These requirements are intended for any application or resource with a very low security risk. To correlate, something similar to your Netflix account. Would we be aggravated if someone hacked into it? Yes. But does it really gain them anything besides free television? No. These types of accounts are referred to as using type AAL1 requirements.
Everything else uses either AAL2 or AAL3 requirements, depending on the criticality of identity proofing and authentication and sensitivity of the information contained within the application or resource. Put simply, the more sensitive or confidential the system, the more rigorous the associated security must be. The surprise of AAL2/AAL3 is that they both require multi-factor authentication. AAL2 requires at least two-factors, while AAL3 requires three-factors.
So, what does this all mean? It means that almost every application in use within institutions today fall outside the AAL1 requirements; meaning that these “newer” and easier password standards do not apply. What it does mean, is that almost every application that contains any amount of proprietary, confidential or personal information should use multi-factor authentication (MFA). This is the primary justification behind the “easier” password standards. If you’re initial password becomes compromised, it’s much more difficult to compromise any account with a second out-of-band factor, such as a token or one-time-password.
Now that you have a more contextual understanding of the NIST password guidelines, you may be wondering, what should you be doing?
First and foremost, unless you plan on implementing MFA for the applications or resources in question immediately, we do not recommend making any dramatic changes… yet.
Traditional password standards still apply. However, it is acceptable and has been recommended by 10-D Security to expand on those standards; some of which are now part of the new NIST guidelines. If no MFA is being used, password policies within your organization should still require:
- Passwords to be changed every ninety (90) days:
- Contain numbers, uppercase, and lowercase characters;
- contain at least one (1) special sharacter such as !@#$%^&*(), and;
- Contain a minimum of ten (10) characters;
- 10-D recommends the use of pass phrases, complete with spaces and punctuation. Most modern applications, such as Active Directory, allow the use of passphrases. When they are not allowed, utilize traditional methods;
- Example (minus quotes): “I’d like to own 14 exotic cars!”
With this is mind, and as the NIST standard reflects, the gradual migration to MFA for virtually all authentication mechanisms for applications or resources which contain sensitive information is the next step within the industry. If your organization hasn’t been thinking about this already, now is the time to begin planning and budgeting for this shift.
Authored By: Ryan Strayer