The National Institute of Standards and Technology (NIST) recently released the official NIST Special Publication 800-63-3 guidelines for 2019. While there haven’t been extreme changes from the original NIST 800-63 password guidelines published in 2017, the differences are striking as they reflect a distinct shift in thinking. If you are seeking to improve password security and compliance at your company, understanding the what and the why of the changes in NIST recommendations can help.
Your Employees Are Your Weakest Link
No matter how strong your security systems are, if human error can be introduced into the equation, your best efforts at security can be compromised. Cybersecurity awareness should involve every employee at your company, no matter what their level of clearance is, and should be part of your company’s onboarding and training process.
Password Security is the Main Culprit
Password security is one of the areas that employees have most input into, and also where they introduce the most dangerous links in your security. Humans are creatures of habit, and it might surprise you how many employees are using identical or similar passwords to access both their social networks and work files. Social engineering testing can help highlight vulnerabilities in your systems caused by weaknesses in password selection thanks to human nature.
Less Complex Passwords
The biggest change in the NIST 800-63-3 password guidelines was the removal of the requirement for passwords to be extremely complex – in other words, the days when you will be forced to choose a password that includes multiple requirements may be coming to an end.
Instead of stringent inclusion requirements (such as one upper-case letter, one lower-case letter, one numeral, and one special character, and frequent expiration), NIST recommends passwords that are easy to remember, can allow longer keyphrases to be used, and have no preset expiration date.
Why Complex Passwords Fail
Complex passwords based on the parameters outlined above really aren’t overly complex. Humans find it difficult to remember randomized strings of characters and writing passwords down or using device-memorized passwords defeats the purpose.
At least some of your employees are probably using some combination of their name, street, year of birth, current year, and other common easily remembered facts in combination with numeral “1” and the special character “!”.
In fact, unless your system automatically rejects such a password, the average employee’s go-to may be “Password1!” When they are forced to change their password due to enforced expiration, it may change to “Password2!”
Fixing Passwords NIST Style
With NIST’s removal of the complexity and expiration requirements, employees are being encouraged to use memorable phrases instead, trading length and obscurity for layers of password rules. In general, encourage your employees to use password phrases that are long, unique, and easy to remember. They will not have to change their passwords frequently.
The earlier idea was to have a passphrase such as “NIST passphrases make long passwords easy!” and create a password such as “Nppmlp3!”. With the latest guidelines, the idea is to use the full passphrase as your password.
The New NIST Guidelines
The latest NIST guidelines for passwords, which are called memorized secrets, can be summarized as:
- Character minimums: 8 when set by a human, 6 when assigned by a system or service
- Character maximums: 64 characters should be allowed
- Character types: all ASCII characters (spaces included) should be supported
- Password truncation: shortening should never be implemented during processing
- Password checking: passwords should be checked against known password dictionaries
- Password attempts: at least 10 attempts should be allowed before lockout
- Password complexity and expiration: not recommended
- Password hints and knowledge based authentication (e.g. favorite food): not recommended
- Password apps (such as receiving an SMS): not recommended (one time passwords from an authorized app such as Google Authenticator may be used)
While only federal agencies are required to comply with NIST 800-63-3, it is wise to seriously consider NIST’s recommendations and cross-reference them with your current compliance requirements to identify any NIST CSF gaps. This can help reduce your security risk and improve employee compliance with NIST password standards.