NIST’s New Password Guidance Challenges Some Common Practices
Passwords have proven themselves an inadequate method of authentication many times. It’s not necessarily that the concept is flawed: passwords can be secure if the system around them is implemented properly. But a combination of users’ inability to properly choose and manage passwords and developers’ failure to implement secure systems often leads to security breaches.
A good password system accounts for users’ persistent disregard of what makes a good password and at least attempts to help them make better choices. Real-world password systems tend to ignore this aspect of password authentication, and the result can be disastrous for users and businesses.
It’s not just ordinary users that make poor choices in this regard: system administrators and public cloud users have been known to disregard password best practices, putting their users’ data at risk.
NIST has released a new guideline for user authentication that challenges some practices commonly accepted as “the right way to do things”.
The new guidelines include a lot of advice, including standard best practices like hashing, salting, and stretching of passwords, but I’d like to take a look at four areas where the guidelines challenge common practices.
Hints and Knowledge-Based Authentication
Password hints are a bad idea. There’s no real advantage to allowing the user to enter a password hint as a reminder. The same effect can be achieved by a password reset without giving a bad actor the opportunity to work out the password.
Knowledge-based authentication is also dangerous: it’s not hard for bad actors to discover a user’s mother’s maiden name or where they went to high school.
Both strategies are intended to reduce the burden on a company’s customer support, but they expose users to unnecessary risk.
Check Against Existing Password Dictionaries
This one is common sense, but almost never done. Hackers know which passwords people are most likely to choose. When hacking a user account they use dictionaries of common passwords as a starting point. Rejecting passwords identical to the most common passwords found in leaked password databases would go a long way to making users more secure.
Users will find this frustrating, but occasionally it’s necessary to put security above convenience.
Don’t Force Password Expiry
Many companies force users to choose a new password after a predetermined period. Intuitively, this is an appealing measure, but in practice it does little to improve security.
Frequent password expiry often leads to users simply adding an incrementing number to the end of their password or choosing simple passwords so they don’t have to frequently commit a new complex password to memory.
The Federal Trade Commission weighed in on this topic earlier in the year, advising that frequent password expiry was counter-productive.
If an account isn’t compromised, there’s no benefit to changing the password. If it is compromised, changing the password doesn’t go far enough, because it can’t be guaranteed that malware hasn’t been installed.
This is probably the most common practice NIST argues against. Many services advise users to choose passwords with a specified minimum of capital letters, numerical characters, and special characters like punctuation.
In theory, this makes users choose passwords that are harder to guess. In practice, they choose passwords that meet the minimum requirements. NIST wants password advice to focus on password length, rather than composition. Choosing a strong password can save a lot of hassle in the long run.
There’s been a fair bit of controversy surrounding some of the advice given by NIST. Let us know what you think in the comments .