NIST Makes Sense On Password Protection

Do you hate being forced to change your passwords on a regular basis, even though there’s no need to do so? I do. If nothing else, it forces me to use passwords that are easier to remember–and thus more easier to crack. And having to remember the last name of your second grade teacher when you graduated from second grade forty years ago seemed like a good idea at the time, but…

Fortunately, NIST, the keepers of official government Meat Homogenate, dollar testers, and official ampere measurers, is drafting new password protection guidelines (boldface mine):

Favor the user. To begin with, make your password policies user friendly and put the burden on the verifier when possible.

In other words, we need to stop asking users to do things that aren’t actually improving security….

Size matters. At least it does when it comes to passwords. NIST’s new guidelines say you need a minimum of 8 characters. (That’s not a maximum minimum – you can increase the minimum password length for more sensitive accounts.)

Better yet, NIST says you should allow a maximum length of at least 64, so no more “Sorry, your password can’t be longer than 16 characters.”

Applications must allow all printable ASCII characters, including spaces, and should accept all UNICODE characters, too, including emoji!

Check new passwords against a dictionary of known-bad choices. You don’t want to let people use ChangeMe, thisisapassword, yankees, and so on.

Makes sense. But this is the part I loved:

No composition rules. What this means is, no more rules that force you to use particular characters or combinations, like those daunting conditions on some password reset pages that say, “Your password must contain one lowercase letter, one uppercase letter, one number, four symbols but not &%#@_, and the surname of at least one astronaut.”

Let people choose freely, and encourage longer phrases instead of hard-to-remember passwords or illusory complexity such as pA55w+rd.

No password hints. None. If I wanted people have a better chance at guessing my password, I’d write it on a note attached to my screen.

People set password hints like rhymes with assword when you allow hints….

Knowledge-based authentication (KBA) is out. KBA is when a site says, “Pick from a list of questions – Where did you attend high school? What’s your favourite football team? – and tell us the answer in case we ever need to check that it’s you.”

No more expiration without reason. This is my favourite piece of advice: If we want users to comply and choose long, hard-to-guess passwords, we shouldn’t make them change those passwords unnecessarily.

The only time passwords should be reset is when they are forgotten, if they have been phished, or if you think (or know) that your password database has been stolen and could therefore be subjected to an offline brute-force attack.

Not only are these more practical, but they are represent a very small step backwards from our Security Ninny State.

Hopefully, NIST finalizes these draft proposals soon.

This entry was posted in Internet. Bookmark the permalink.

10 Responses to NIST Makes Sense On Password Protection

  1. Art says:

    I’ve used computers for decades, but know precious little about computer security, but for some time I have wondered if limiting the number of guesses per unit of time for password verification might not be a decisive step. Start with a five second delay per guess, a delay that most humans would hardly notice, and double it on each failure. After ten tries the hacker is waiting over 42 minutes for each failure and it is getting to be a burden.

    Seems to me this would largely eliminate most brute-force attacks from any but the most determined hacker.

    I’ve asked some systems administrators, and at least one well regarded security expert, this and got no answer. Is there something I’m missing? Why wouldn’t this work. It would seem to be simple to set up.

    • Net Denizen says:

      I am a system administrator and I will tell you an increasingly delayed password prompt harms the user far more often than the attacker. The best bet for any system is to have a good complexity requirement. Increasing the time between guesses will only affect your users, and presumably they need to be able to do their work promptly.

      Although that probably *would* be a great excuse to give your boss for why you’re not working: “Sorry boss, I had too many failed password attempts. I have to wait three hours before I can try again!”

    • kaleberg says:

      Most systems do have some kind of retry delay. This helps, but not in all cases. Most passwords are stored as a hashed key, not in plaintext. Hackers can get those hashed keys by compromising a database or intercepting WiFi traffic. Given the hashed key, a hacker can run as many tests as needed to get the password. There are even services online where you give them a hashed key and they’ll tell you the password. Proper hashed key databases use an arbitrary number called the “salt” that makes the hashed key alone less useful, but this cannot be used in every case where security is needed. Also, if the database is compromised, odds are the salt is compromised as well.

  2. Jay C. Smith says:

    You beat me to it, with a better suggestion. I have wondered for years why there isn’t three and out on attempts and then a meaningful barrier to re-setting. Of course the baddies can get a password with unlimited tries, but three tries (or five if you want to cater to forgetful doofs like me) and they couldn’t even get password1234.

  3. Joe Shelby says:

    3-strikes-and-out is common in a lot of financial web sites.

    The KBA stuff is what I’m most impressed by. Seriously, how many people have all of that info publicly available with a quick facebook search? Home town, birth place, maiden name, mother’s maiden name (now that everybody’s mom is on FB too), pets, kids, how/where you met your spouse? it’s all there.

    • Steve says:

      The login delay defense is widely used, but it only helps against online password guessing. However, what you see in the news aren’t online attacks. If you hear about a breach of millions of passwords, that’s an offline attack.

      Offline attacks are when hackers get a copy of the stored password hashes (though SQL injection, poor access control, etc.) With the data on their own machines, they can attack it with tools like Hashcat at rates of billions of guesses per second.

      • Jay C. Smith says:

        Once again, I know next to nothing, but if that is how they get the passwords how can any password be complex enough? Or do I just need one completed than most so the baddies get everyone else’s first

        • Jay C. Smith says:

          oops. “Complexer” (as in more complex) not “completed.”

        • Net Denizen says:

          Yes, pretty much you want your password to be more unguessable than someone else’s if you are concerned with your account being broken. This is where the old 8 character limit, expiration dates and unnecessary complexity make it easier for hackers to crack passwords. As usual, xkcd has the definitive short-hand version:

  4. albanaeon says:

    The password system has been a bit of a FUBAR with them being designed to be hard for humans to remember but relatively easy for computers to hack.

Comments are closed.