topic Re: NIST new ruling on passwords in Industry News

NIST new ruling on passwords

Matthew — Sun, 08 Oct 2017 15:07:18 GMT

I wanted to see how members on here felt about NIST new draft of password policy suggestion.

What’s new ?

What are the major differences between current received wisdom about “secure passwords” and what NIST is now recommending?

Some of the recommendations you can probably guess; others may surprise you.

We’ll start with the things you should do.

Favor the user. To begin with, make your password policies user friendly and put the burden on the verifier when possible.

In other words, we need to stop asking users to do things that aren’t actually improving security.

Much research has gone into the efficacy of many of our so-called “best practices” and it turns out they don’t help enough to be worth the pain they cause.

Size matters. At least it does when it comes to passwords. NIST’s new guidelines say you need a minimum of 8 characters. (That’s not a maximum minimum – you can increase the minimum password length for more sensitive accounts.)

Better yet, NIST says you should allow a maximum length of at least 64, so no more “Sorry, your password can’t be longer than 16 characters.”

Applications must allow all printable ASCII characters, including spaces, and should accept all UNICODE characters, too, including emoji!

This is great advice, and considering that passwords must be hashed and salted when stored (which converts them to a fixed-length representation) there shouldn’t be unnecessary restrictions on length.

We often advise people to use passphrases, so they should be allowed to use all common punctuation characters and any language to improve usability and increase variety.

Check new passwords against a dictionary of known-bad choices. You don’t want to let people use ChangeMe, thisisapassword, yankees, and so on.

More research needs to be done into how to choose and use your “banned list,” but Jim Fenton thinks that 100,000 entries is a good starting point.

The don’ts

Now for all the things you shouldn’t do.

No composition rules. What this means is, no more rules that force you to use particular characters or combinations, like those daunting conditions on some password reset pages that say, “Your password must contain one lowercase letter, one uppercase letter, one number, four symbols but not &%#@_, and the surname of at least one astronaut.”

Let people choose freely, and encourage longer phrases instead of hard-to-remember passwords or illusory complexity such as pA55w+rd.

No password hints. None. If I wanted people have a better chance at guessing my password, I’d write it on a note attached to my screen.

People set password hints like rhymes with assword when you allow hints. (Really! We have some astonishing examples from Adobe’s 2013 password breach.)

Knowledge-based authentication (KBA) is out. KBA is when a site says, “Pick from a list of questions – Where did you attend high school? What’s your favourite football team? – and tell us the answer in case we ever need to check that it’s you.”

No more expiration without reason. This is my favourite piece of advice: If we want users to comply and choose long, hard-to-guess passwords, we shouldn’t make them change those passwords unnecessarily.

The only time passwords should be reset is when they are forgotten, if they have been phished, or if you think (or know) that your password database has been stolen and could therefore be subjected to an offline brute-force attack.

There’s more…

NIST also provides some other very worthwhile advice.

All passwords must be hashed, salted and stretched, as we explain in our article How to store your users’ password safely.

You need a salt of 32 bits or more, a keyed HMAC hash using SHA-1, SHA-2 or SHA-3, and the “stretching” algorithm PBKDF2 with at least 10,000 iterations.

https://nakedsecurity.sophos.com/2016/08/18/nists-new-password-rules-what-you-need-to-know/

I think this is a great step. The 90 day rotation only made users change the base of their password append with a date or numerical number. Example, TH!S1sMYp2ssw0rd1, THIS1sMYp2ssw0rd2, etc. Once the base of the password was figured out or phished, gaining access is easier.

I still educate my users on passphrases and why they better as a password substitute but our policy (and compliance) rules make it hard to use a nice passphrase.

I have also educated my users on password management solutions. This allows for a long passphrase as the master password that bypasses local policy restrictions. Local solutions work well if you have an office that you will always log into at work. The database for this solution should be stored on a network share for data redundancy. Also, Cloud solutions are acceptable if you have a user who is on the move or never logs in from the same device. I would only caution that your Cloud solution encrypts the data and either you hold the decrypt key or have it part of your master password.

Thoughts?

Re: NIST new ruling on passwords

kesmit — Sun, 08 Oct 2017 15:30:58 GMT

I'm interested, too. I'm anxious to see when auditors/assessors/frameworks (PCI, SOC, HITRUST, etc.) adopt this guidance, because until then there's nothing an organization can do in the face of an audit looking to check a box.

Re: NIST new ruling on passwords

asebastian — Sun, 08 Oct 2017 15:53:51 GMT

I'll be curious how many people take this advice, especially the new thoughts around not having passwords expire routinely. We've already been hit by some of our saavy tech users asking when we were going to change our standards.

Anyone else been asked about this by their user base?

Re: NIST new ruling on passwords

JJP — Sun, 08 Oct 2017 16:04:48 GMT

While 8 is fine for non priviliged accounts for anything more interesting longer should be used.

Moving away from the frequent changes is good imo, make stronger, better selections and force changes when you have reason to not just every 30 days etc.

SHA1 though...

Re: NIST new ruling on passwords

Keith — Sun, 08 Oct 2017 16:10:01 GMT

I'm still a fan of physical item 2FA over username/password. In my experiance, people hold on to a physical item more successfully than a mental word picture. I look forward to this NIST update implemetation throughout the government, even if it takes ten years and a few more breaches to move them into action.

Re: NIST new ruling on passwords

n5rmj — Sun, 08 Oct 2017 16:28:45 GMT

I got rid of password aging seven years ago. I have been telling auditors I don't make passwords expire because doing so decreases security. It's good to see NIST coming out with advice that passwords should not be changed every 90 days and that longer is better. For Active Directory, I have a 16 character minimum. Training staff to use long passphrases in English without special characters that they can easily remember reduces service desk calls for password assistance.

Re: NIST new ruling on passwords

malte-wirz — Sun, 08 Oct 2017 18:04:34 GMT

I remember a conversation i had 2 years ago when I suggested the new password/passphrase paradigm. The first answer was: "We would have to admit we were wrong in the past" and it took some time to convince.

I'm glad those kind of discussions will be much easier soon 🙂

Re: NIST new ruling on passwords

Kelly — Sun, 08 Oct 2017 19:55:23 GMT

Most strongly, I agree with the disposal off password aging, and I'd like to see increased socializing/teaching of passphrasing concepts. Many people still don't understand what exactly we mean by passphrase. Also, two factor auth could/should be used more often especially where money/credit cards are involved.

Re: NIST new ruling on passwords

JamesMac — Sun, 08 Oct 2017 20:10:26 GMT

Hmmmm...lots to chew on.

8 character passwords - however complex they are, if you hash them with MD5 or SHA1 they are vulnerable to modest amounts of Amazon GPU.

I like the idea of non-changing passwords, but I'm having problems persuading the sysadmin at my company (who says he sees weak passwords) that this is actually a good way of stopping those weak passwords recurring.

There's also the small question of whether NIST's guidance is compatible (say) with ISO27001. I think it is - but any firmer evidence is welcome.

James

Re: NIST new ruling on passwords

DHerrmann — Sun, 08 Oct 2017 20:59:10 GMT

When I used to do security awareness sessions, I used to suggest (to make people think) that a password like "aaaaaaaaaaaaaaaaaaaaa" was more secure than "83$kKz". I'm not a mathematician, but I think it can be proved that a passphrase, even one with all alpha lower-case characters, is more secure than a short, so-called "complex" password.

Re: NIST new ruling on passwords

Metalrat — Sun, 08 Oct 2017 21:39:24 GMT

For those comfortable with the use of a password safe you can still go overboard on the mixing of characters and use as long as possibile a password as you can. (I still intend to)

The new reccomendations are improvements without any real drawbacks imo.. It helps those who just can't or won't use safes to come up with personalised and secure passwords a lot easier than the previous reccomendations did.

Re: NIST new ruling on passwords

Jen — Sun, 08 Oct 2017 21:46:26 GMT

With all these changes happening I see one thing staying the same...

Passwords written on sticky notes, attached to the bottom of a keyboard.

Although the NIST is making recommendations concerning password complexity and negating password expiration (etc.), they will never be able to change the most influencial factor to password security; human behavior.

I.T. security always has been and always will be under threat, a threat that can only be mitigated never resolved by people in our profession. I look forward to the challenge.

Re: NIST new ruling on passwords

RaymondFrangie — Sun, 08 Oct 2017 22:59:19 GMT

No matter how much we talk about changing passwords, or min/max lengths, or using passphrases instead of passwords, etc., without enabling multifactor authentication, passwords will always be weak.

We need to enforce MFA more than password security in my opinion...

Re: NIST new ruling on passwords

obenkuyucu — Mon, 09 Oct 2017 07:34:16 GMT

I am actually in favor of password (or passphrase) expiring. We have seen tons of breaches over the years and I do not think that would change in a near future. There are really bunch of teenagers who tries these leaked passwords. Many of them have the motive to decrypt or guess it from the password hint questions. If you do not change your password periodically, your leaked password in a 2013 breach can possibly still usable. Password expiry is something that is helpful for system admins to force users to have a better security awareness (not security, but awareness). If users feel that they are part of your security framework, it would be very beneficiary for both ends (as long as you are not storing confidential data unencrypted.)

PCI and other industry-accepted global standards always mention NIST as a baseline, so even if NIST is a national standard, it has a global perspective also. So, you can think that password expiry was something that is old-fashioned, or diminishes security overall, but you must also think of everyone else who does not have a security knowledge as you. This does not mean that you should stop thinking of any progress.

I strongly agree that if the period of changing passwords is too close, the passwords become SecurePass1, SecurePass2, and so on. It is definitely guessable. But there are some people mentioning "teaching". Maybe at your lessons, you could say this is wrong, and tell them clever passphrases are much better - long enough to be secure and easy to remember: LeavesFALLin09 (as in September), ThisGonnaBeACold10 (as October), RememberTheFifthof11! (November)...

It would be very nice to be user-friendly and have the verifier to be strong as possible, but as the previous replies mentioned, you must have a second factor (multi-factor or multi-step) to protect your identity. All passwords (or passphrases) can be bruteforced, it is just a matter of time.

Re: NIST new ruling on passwords

Richard_B — Mon, 09 Oct 2017 08:57:28 GMT

The new guidelines from NIST are a great step forward. Is there any guidance with regard to good passphrases and two factor authentication?

Re: NIST new ruling on passwords

PaulS — Mon, 09 Oct 2017 10:44:38 GMT

It's all a bit ironic that I've just been forced to change my ISC2 password to include all four character sets. If we're going to use our ISC2 credentials to show that we are at the cutting edge of Information Security, our industry body should be a little more forward-thinking.

Re: NIST new ruling on passwords

noel — Mon, 09 Oct 2017 14:14:41 GMT

If the method can ever be standardized, Gibson's SQRL looks promising as a means to solve the issue of longer passwords written under keyboards.

https://www.grc.com/sqrl/sqrl.htm

Re: NIST new ruling on passwords

knowcomputers — Mon, 09 Oct 2017 15:33:44 GMT

It's about time this was addressed. The one of this, two of that, no repeat and no characters next to each other leads to more time spent with the identity managers changing passwords and caused user outages at the worst times.

I read an article a couple of years ago so I can't confirm it, but I believe the guy that invented the basis for the current craziness says he wishes he had never written that article.

Random words placed in a way so you can make a passphrase in your head with them has much more entropy and true randomness than any of the previous password requirements.

Re: NIST new ruling on passwords

itmurph07 — Mon, 09 Oct 2017 15:43:41 GMT

From and OS or application perspective, these passwords would be a challenge and I expect a lot of time to account for these variations. Keeping to 16 Char has set many DB tables and I would expect these to have to be rebuilt. It is not just a OS fixing the hash sizes, it is a matter of fixing the applications/ middleware and then the OS to enforce. I think the concept is a great idea. The No password hint is even better.. just reset your pw.

Re: NIST new ruling on passwords

ElectricSmile — Mon, 09 Oct 2017 17:22:31 GMT

"When" this happens... I'll be doing the happy dance. I recently had to create a password that couldn't include any dictionary word combinations. This started with two characters, so even the inclusion of "oN" as part of the password resulted in an unacceptable password. Using a passphrase I can remember without the arbitrary need for special characters and numbers will definitely be a move in the right direction.