For years IT professionals have been using a common baseline for determining how to implement password and authentication standards in their networks. This document, NIST 800-63 [1], suggested using passwords with enforced complexity rules (such as: at least one letter, one number, one symbol, etc.), frequent changes, minimum length, and so on.
In June, NIST released a major revision of this document. [2] Re-thinking all previous guidance based on currently available research, the new guidelines establish a significant departure from previous versions.
Here’s the short version: kill complexity, password expiration, and hints/questions. Use an 8 character minimum (although, see below) and enable lockouts, blacklists, and rate limiting.
Things to stop doing
NIST found that users form passwords to meet complexity rules in predicable ways, negating much of their value.
… Research has shown, however, that users respond in very predictable ways to the requirements imposed by composition rules. For example, a user that might have chosen “password” as their password would be relatively likely to choose “Password1” if required to include an uppercase letter and a number, or “Password1!” if a symbol is also required.
… Humans, however, have only a limited ability to memorize complex, arbitrary secrets, so they often choose passwords that can be easily guessed. To address the resultant security concerns, online services have introduced rules in an effort to increase the complexity of these memorized secrets. The most notable form of these is composition rules, which require the user to choose passwords constructed using a mix of character types, such as at least one digit, uppercase letter, and symbol. However, analyses of breached password databases reveal that the benefit of such rules is not nearly as significant as initially thought, although the impact on usability and memorability is severe.
Therefore, NIST now recommends that no complexity rules at all be used for passwords. [3]
In addition, frequent password changes are no longer recommended. [4] Password change should only be required when there is evidence that the password has been compromised. Users should have the ability to change passwords as they need (or want) to.
Also out are password hints or knowledge questions:
Memorized secret verifiers SHALL NOT permit the subscriber to store a “hint” that is accessible to an unauthenticated claimant. Verifiers SHALL NOT prompt subscribers to use specific types of information (e.g., “What was the name of your first pet?”) when choosing memorized secrets.
Things to start doing
NIST wants users to choose better, easier to remember passwords, along with some help from the underlying system. A password of 8 – 64 characters is recommended by the guidelines. Using a password strength meter is a good way of encouraging better passwords. Rejecting weak passwords based on dictionary words, known common passwords, and repetitive characters can also guide users toward better password choices. Enabling lock-out and rate limiting after numerous failed authentication attempts makes brute-force cracking much more difficult.
And above all, using two-factor/multi-factor authentication is the most desirable and secure way forward (but that’s the subject of another post).
The Real World
However, there is a difference between what is recommended and what your system is actually capable of. As of now, Windows Active Directory does not have a facility to blacklist bad passwords. It does not have a way to rate limit logon attempts. It does not have a password strength meter.
All of these capabilities are available via third-party software, but they’re usually fairly expensive. What to do? Work with what you have.
My recommendations for most small businesses using Active Directory are to enable user lock-out after 10 attempts (or fewer) and to automatically unlock the account after 30 minutes. Disable password complexity and expiration entirely. Set minimum password length to at least 10, which should encourage users to choose multi-word passwords (if nothing else “password” will be too short to comply).
These steps somewhat split the difference between getting closer to NIST’s latest guidance, making life a bit easier for your users, and saving your IT budget.
IngenuIT can help. We can perform an audit of your current systems, let you know where you’re okay and where you need to consider a change. Call today! (314) 495-9504 or e-mail support@ingenuitstl.com
[1] The National Institute of Standards and Technology released the original version of SP 800-63 in 2003.
[2] https://pages.nist.gov/800-63-3/sp800-63-3.html
[3] SP 800-63B 5.1.1.2: Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets.
[4] SP 800-63B 5.1.1.2: Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.