NIST and password compliance

The new guidelines from National Institute of Standards and Technology (NIST) are changing how companies and organizations view password security. The guidelines say: Do allow for longer passwords and choosing original secret questions, Don’t allow users to choose a password from a compromised list, or force password expiration without cause. These changes aim to increase password security and improve the end user experience.

In the comprehensive Digital Identity Guidelines, from NIST, password security is addressed within the chapter titled Memorized Secret Verifiers. A memorized secret verifier is any system that needs to check the validity of a password or PIN. In most organizations, that means Active Directory and supporting business systems.

Length

When it comes to password length, NIST requires that passwords are at least 8 characters long and recommends that passwords can be as long as 64 characters. Longer passwords offer better protection from various password attacks.

Specops recommendation: 

Allowing users to choose passphrases helps create longer passwords that are still easy for end users to create and use.

Dictionary lists

NIST requires federal organizations to check passwords against a list of commonly used or compromised passwords. Potential lists include passwords obtained from a previous breach, dictionary words, repetitive characters and context-specific words such as usernames. Blocking dictionary lists can help keep out the most vulnerable passwords – whether these are on a leaked password list or a list of weak passwords.

Specops recommendation: 

The easiest way to check a user’s password against a dictionary list is to do this during the password reset/creation process. Since users set new passwords continually, dictionary lists need to be reviewed regularly and updated to include recently leaked plain text and password hash lists.

Composition requirements

NIST discourages composition requirements such as a mixture of character types, when setting passwords. While this is not prohibited, the NIST recommendation is to avoid password complexity rules and instead check users’ passwords against known dictionary lists.

Specops recommendation:

Finally, the tide is turning away from short complex passwords to longer passphrases, which offer better protection from attacks and a better user experience. However, some other regulatory bodies still require complexity rules, such as PCI.

Password Expiration

NIST discourages regular password expiration (memorized secrets changing arbitrarily) but requires forcing a password change if there is evidence that the authenticator has been compromised. This is because regular password expirations and changes create poor password habits where users tend to fall into the same patterns for creating a new password.

Specops recommendation: 

Blocking dictionary lists is great when a user is setting a password for the first time, but what happens if that same password turns up on a leaked list one month later? We recommend continuing to use password expiration as a way to check passwords against dictionary lists when a new major leak occurs and a list is added.

Secret questions

NIST prohibits the use of predefined secret questions (security or challenge questions) when verifying a user for password creation and reset. Your mother’s maiden name, your first pet and the name of your high school are all susceptible to social engineering.

Specops recommendation: 

Secret questions can be social engineered easily and many users forget the answers to less common questions. We believe in more secure ways to identify users  such as authenticating them on popular authentication apps from Google and Microsoft, or fingerprint scanning on a mobile phone.

NIST updated their Digital Identity Guidelines in June 2017 to follow the latest best practices in identity proofing and authentication of users interacting with government IT systems, but many non-federal organizations also choose to follow the guidelines.

For more information, download our NIST and compliance whitepaper.

NIST terminology

Claimant – the party being authenticated

Verifiers – the party verifying the claimant

Memorized secret – password and PIN, something you know

Knowledge-based verification – secret or security questions

  • Was this Helpful ?
  • Yes   No

Tags: , , ,

Back to Blog

Related Articles

© 2017 Specops Software. All rights reserved. Privacy Policy