For years, security experts have recommended complexity as a measure of strength. Your password should contain double-digit characters. Your password should contain symbols, numbers, and letters. Your password should utilize upper and lowercase letters. Shuffle in some randomness, change them periodically and finally, your password passes the minimal requirements of what is considered “secure.”
But now your password is difficult to type and even harder to remember. Which would be fine if you had only one account to protect, but like most internet users, you have upwards of 20, maybe even 50.
By the time you’ve applied this same process to every account, you end up with an impossible chore and a suboptimal scenario that will likely lead to one or more of these three results:
- You have to reset your passwords often because you can’t remember them.
- After resetting your passwords enough, you give up on complexity and start repeating passwords across multiple accounts.
- You still have trouble remembering, so you write them down or store them in browsers, both of which violate the fundamentals of security.
Frustration among end-users creates a barrier that undermines security efforts—a lose-lose situation for all organizations (and individuals). But thankfully, NIST released a new publication with updated guidelines for password construction. Here are the highlights:
Ditch the complexity and use passphrases instead.
Passphrases check two important boxes for individuals: easy to remember; hard to guess. But adding complexity to those passphrases not only fails to make them more secure, it also dilutes the “hard to guess” portion of the equation. The below comic from XKCD perfectly illustrates this:
Basically, InAGaddaDaVida is greater than !n@G0ddaD@Vid@.
Screen new passwords against those that are commonly used or already compromised.
From section 184.108.40.206 of the new NIST publication:
When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised. For example, the list MAY include, but is not limited to:
- Passwords obtained from previous breach corpuses.
- Dictionary words.
- Repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’).
- Context-specific words, such as the name of the service, the username, and derivatives thereof.
Password screening seems so obvious that it makes one wonder why it hasn’t been commonplace at every organization for years. The process utilizes a simple function that analyzes a new password, ensures it meets the organization’s password policies, and then compares that password to a database of commonly used or known compromised passwords.
End arbitrary password replacement.
Experts have long recommended that individuals change their passwords often. But NIST suggests this process does more harm than good, because it creates frustration among users and offers very little, if any, additional security. The publication specifically says:
“Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.”
In other words, organizations should only force changes if there has been a security incident that might compromise passwords. Individuals should also apply this concept to their personal accounts.
Get a password manager.
Password managers create, store, and sync passwords across multiple accounts and are accessible on multiple devices. They can also auto-fill login credentials with a single click, or users can simply copy-and-paste from the app. But since these tools were primarily developed with individuals in mind and not organizations, finding one with robust administrative features that meets organizational policies might be difficult. However, in recognition of that gap, several prominent password managers are updating their software with capabilities that satisfy the needs of organizations big and small.
From a personal standpoint, password managers provide a must-own security tool that will make your digital life easier and safer. For more information on how managers work and why you should get one, read this article.
Lastly, a note on biometrics.
Many device manufacturers now include a variety of authentication methods that utilize biometrics, such as facial recognition, fingerprint readers, and retina scanners. These tools may seem like optimal replacements for traditional passwords, but in reality, biometrics favor convenience over security. Keep in mind that anything stored in a database, like your fingerprints, can be stolen. And unlike passwords, your fingerprints can’t be changed.
NIST warns against using biometrics for anything more than multi-factor authentication. They explain their reasoning in section 5.2.3:
- The biometric False Match Rate (FMR) does not provide confidence in the authentication of the subscriber by itself. In addition, FMR does not account for spoofing attacks.
- Biometric comparison is probabilistic, whereas the other authentication factors are deterministic.
- Biometric template protection schemes provide a method for revoking biometric credentials that is comparable to other authentication factors (e.g., PKI certificates and passwords). However, the availability of such solutions is limited, and standards for testing these methods are under development.
- Biometric characteristics do not constitute secrets. They can be obtained online or by taking a picture of someone with a camera phone (e.g., facial images) with or without their knowledge, lifted from objects someone touches (e.g., latent fingerprints), or captured with high-resolution images (e.g., iris patterns).
Generally speaking, organizations should limit the use of biometrics. Individuals should also consider the ramifications of implementing biometrics on their personal devices.
The final word.
Even with technological advancements yielding alternative methods for authentication, passwords are still in charge. Hopefully, someday soon the chore of unlocking accounts, both personal and professional, will no longer require the current level of care. But until that time, NIST’s most recent guidelines offer the best solutions.
Latest posts by Justin Bonnema (see all)
- 2019 SAP Planning Calendar - December 11, 2018
- Incident Response in 3 Domains - November 30, 2018
- How the NIST Framework Improves Your Organization’s Cybersecurity - November 15, 2018