NIST is the US National Institute of Standards and Technology, and back in 2003, a password primer was written by one of its managers that put forward recommendations, many of which became the rules we have now. Special characters, mixture of upper and lower case letters, regular password changes – these have all been adopted into ‘best practice’ for password security since NIST made these recommendations. Now, however, these complexity guidelines and regular password changes have been repeatedly proven by experts to actually be less secure for companies, due to the work-arounds humans put in place to make remembering password easier. NIST thankfully have released their mistake and have provided updated best practice standards for password security. Why the sudden change of heart, you may ask? Well, over a billion passwords a year are breached by cyber criminals, and the data obtained shows that when presented with a long list of password criteria, people tend to try something basic first and then just tweak it until it fits. For example, ‘password’ becomes ‘Password1’, which may be more mathematically secure, but can be easily guessed instead.
Previously established guidelines are mostly being discarded, in favour of rules that simplify passwords for the user
No one looks forward to those mandatory password changes every few months, as it can be incredibly frustrating to constantly think of new passwords with the right mixture of capital letters, special characters and numbers. In fact, many people try to simplify the process by using a variation of their previous password – ‘Password1’ becomes ‘Password2’, and so on. In fact, the entire basis for issuing new guidelines stems from one simple fact; people can’t remember all the passwords that they have been forced to create, ultimately causing them to create less secure passwords than if they didn’t have to adhere to the guidelines in the first place. So with all that in mind, here’s a breakdown of the new best practices and why they’re easier and more secure:
Longer Passwords are Better
“Verifiers SHOULD permit subscriber-chosen memorized secrets at least 64 characters in length” – NIST
One piece of advice we’ve seen steadily gain traction is to create passphrases instead of passwords. With each extra character added to a password, there are an exponentially larger amount of permutations that a hacker would have to guess in order to brute-force their way in. Whilst not the only indicator of security, it’s always wise to create a password that cannot be easily cracked by machines. We checked out this site which estimates how long a password would last in such a scenario and the results are very telling. ‘C0mpl3x!’ would be cracked in about 9 hours, whereas ‘thisisacomplexpassword’ would take an estimated 11 TRILLION years. Many systems and websites currently restrict the allowed number of characters in users password to 8-12 characters. The new NIST guidelines (as per the quote above) recommend that password parameters be modified to allow users to enter passwords at least 64 characters in length. This would allow people accessing systems to create passphrases as long as they like.
Special Characters Should Be Allowed but Not Required
“All printing ASCII [RFC 20] characters as well as the space character SHOULD be acceptable in memorized secrets. Unicode [ISO/ISC 10646] characters SHOULD be accepted as well. Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets” – NIST
This is a big change to the current rulebook. Whilst NIST recommends that providers allow all ASCII or UNICODE characters, including spaces and even emojies, they recommend that no specific requirements be put on the user. This is because most people use similar patterns when forced to create passwords in this manner, such as a capital letter at the start and a number or special character at the end. Cyber criminals take advantage of this pattern by running their attacks through dictionaries, including common substitutes such as $ for S, 0 for O, and so on. Passwords created under these strict rules not only often end up still being weak passwords, but also tend to be re-used across multiple platforms, meaning that if hackers get one password, they have access to everything.
No More Password Hints
“Memorized secret verifiers SHALL NOT permit the subscriber to store a “hint” that is accessible to an unauthenticated claimant.” – NIST
Thankfully, not many sites allow password hints any more, but these are definitely out now. Adobe was one such provider that used hints, and a 2013 breach revealed a startling list. A few of the more startling ones were:
- my name
- numbers 123456
- sixones
- q w e r t y
- dog + number
- the password is password
These were all stored in plain text too, so when the hackers got their hands on this list, a large portion of passwords were easily guessed without resorting to brute-force or any other advanced hacking techniques.
Make Use of Password Managers
“You should also provide appropriate facilities to store recorded passwords, with protection appropriate to the sensitivity of the information being secured. Storage could be physical (for example secure cabinets) or technical (such as password management software), or a combination of both.” – NIST
Password Managers such as LastPass or Dashlane have been around for a while now, and while more people are starting to make use of them, some companies advise against them or even prevent the ‘paste’ function in password fields to deter use of them. The fact of the matter is, passwords must be strong and must not be resused, which means the vast majority of people are simply going to be unable to remember them all without a password manager. Yes, password managers aren’t perfect, but using one is definitely better than the alternative at the moment. Furthermore, when these companies prevent users from being able to paste their secure passwords into their fields, then it causes many users to weaken their passwords to easily-typed (and easily-hacked) versions.
Don’t Force Regular Password Changes
“Do not require that memorized secrets be changed arbitrarily (e.g., periodically) unless there is a user request or evidence of authenticator compromise.” – NIST
As noted above, regular passwords changes tend to do more harm than good, as users often find it easier to create a new variation of their password than a new one entirely, especially if you have to do this for multiple credentials. Even Microsoft, which reportedly sees 10 million attacks a day, has spoke out against such policies, stating that “password change offers no containment benefits as cyber criminals almost always use credentials as soon as they compromise them”. Now, we don’t advocate any companies or organisations suddenly doing away with their password policies without any replacements, as it is crucial they still monitor user logins to detect any unusual use and notify users with details of said unusual login attempts.
Block Previously Breached Passwords
“When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised. For example, the list MAY include, but is not limited to: Passwords obtained from previous breach corpuses.” – NIST
We now know that cyber criminals have gotten their hands on billions of user credentials at this point, but is it safe to use a breached password that was associated with another user, but never your own account? Most certainly not, unfortunately, as hackers have built up databases containing the most commonly used passwords and routinely try these against user logins. However, these databases are also accessible for developers, who can then prevent users from signing up with known bad/breached passwords such as ‘thisisapassword’, ‘changeme’ and so on. In fact, it is also advised that users don’t use context-specific passwords, such as including the name of the website or username in their password.
Last year, the most commonly used passwords were 123456, password, 12345, 12345678 and football
So to summarise, the rulebook has definitely changed now that we’ve seen the effect that many password guidelines have had in practice. We highly recommend the use of password managers, and even 2-factor authentication where possible, as well as using longer passphrases instead of those shorter, more ‘complex’ ones. We would also recommend checking out haveibeenpwned.com, which allows users to check their email addresses against a list of known breaches in case any of their passwords have been compromised. With the GDPR coming up and substantially larger fines upon failure to safeguard data, now is the time for businesses to make sure their IT policies and procedures are GDPR-aligned and their staff are trained in cyber awareness.