Updated: Jun 29, 2020
Password security is a hot topic for system administrators and tech support teams, and for many years leading cybersecurity experts were telling businesses to increase password complexity and force users to update them periodically. According to NIST publication SP.800-63B, it’s time to take password management in a different direction.
Analysis of the breached password databases revealed that the benefits of password complexity rules are not nearly as significant as the impact on usability, ability to memorize, and overall ease of use of passwords. We are all familiar with the frustration that follows unsuccessful attempts to create a password with a minimum length requirement, at least one upper case letter, lower case letter, number, and special character.
We humans have a limited ability to memorize complex passwords, and often resort to insecure practices, such as writing down our passwords on a post-it note, or storing them in a cleartext form somewhere on the machine, or choosing passwords that can be easily guessed. For this reason, the NIST framework presents a novel approach for password management, which we summarized and broke down into 8 key points as follows:
Use passphrases instead of passwords
Length is considered the main factor in defining password strength. Passwords that are too short tend to be more vulnerable to brute force attacks, whereas lengthy passwords require immense computing power, time, and effort for a brute force attack to succeed. Memorizing a passphrase is significantly easier than a long combination of nonsensical symbols, which eliminates the need to store passwords anywhere other than the user’s own memory. NIST advises allowing at least 64 characters in length to support the use of passphrases and encouraging users to make memorized secrets as lengthy as they want using any characters they like (including spaces), thus aiding the memorization process.
Do not enforce password complexity
As we’ve mentioned before, password complexity does not add as much to its resilience against brute force attacks, but it does increase users’ frustration and inconvenience. Having to use overly complex passwords, users tend to circumvent the imposed security measures by storing their password in a non-secure manner or reusing passwords from social media and other accounts. It is also worth mentioning that special character restrictions (in some cases, the special characters like spaces or quotation marks are restricted in an effort to avoid injection attacks) shouldn't be enforced. A properly hashed password would not be sent to a database intact in any case, making special character restriction unnecessary.
Do not reset passwords periodically
NIST no longer recommends organizations to enforce periodic password change on their users. While this seems to be a controversial recommendation, in the long run, it makes sense. The practice of changing passwords regularly has proven to be ineffective, as users often choose to make minimal changes to their previous passwords in order to minimize their efforts to memorize the changes. For example, if the user’s password of choice was “SillyP@ssword1” when asked to change the password every 90 days user would likely change it to “SillyP@ssword2”, then “SillyP@ssword3” and so on, which defeats the whole purpose of this practice.
Create password blacklist
While enforcing password complexity by introducing a mix of special characters is no longer advised, it is important not to fall back and relax complexity measures completely. Users should not be using passwords that are too simple, and especially if they are in the top 100 most common passwords. We are all familiar with passwords such as “12345”, “Password1!”, “TrustNo1”, and so on. This is why an organization must introduce a password blacklist, which shall contain passwords that no users would be allowed to use. These include not only the most commonly used passwords, but also passwords from previous breaches, and words or combinations that are most relevant to the company itself, such as the company name, or the name of the product they produce, as those can be easily guessed.
Provide meaningful and actionable feedback for password rejects
Considering that the requirement for password complexity is lifted, there are very few scenarios when a user’s password would be rejected. Generic messages, such as “your password isn’t strong enough” fail to provide adequate guidance and explanation to the user as to why his beloved “M0nkey!” password is rejected. After all, it does contain an upper- and lower-case letter, a number and a special character. Instead, a message such as this one should be used: “Your password isn’t long enough (must be at least 8 characters) and belongs to a list of most common passwords, which will be easy to guess. Try using a passphrase instead”. Make sure that password requirements are clearly communicated to users as well, further reducing the frustration factor.
Change password after a confirmed compromise
This one is pretty self-explanatory: keeping in mind that periodic password resets are no longer advised, it is crucial to force a password change if a compromise has been confirmed.
This will help mitigate online attacks where an adversary attempts to login by simply guessing passwords, while at the same time allowing legitimate users (or persistent claimants with poor typing skills) to log in properly after a modest number of unsuccessful attempts. The number of allowed unsuccessful login attempts should be determined by each individual organization based on the complexity of existing user passwords and the organization’s risk appetite. For example, if passwords are quite complex and the probability of errors is above average, restricting your users to 3 login attempts will create unnecessary frustration, while 15 attempts per day may make it equally difficult for brute-force the passwords (assuming they were verified against the previously mentioned password blacklist) while not inconveniencing the users.
Store passwords securely
Online attacks can be prevented by increasing password length and introducing the rate-limiting, but what about offline attacks? This is where password hashing comes in handy. The ability of an attacker to crack any given password in an offline mode largely depends on how the password is stored. It is recommended that passwords be salted with a random value and hashed, preferably using a strong hashing algorithm prior to being sent to the database.
Keeping your password policies up to date is just one of many ways an organization can protect their employee accounts and assets. Stay tuned for more posts where we will discuss the benefits of implementing multi-factor authentication, how to make sure your VPN client is configured securely, and much more.
Senior Partner, Cyber Risk