NIST to security admins: You’ve made passwords too hard

NIST to security admins: You've made passwords too hard


Despite the fact that cybercriminals stole more than 3 billion user credentials in 2016, users don’t seem to be getting savvier about their password usage. The good news is that how we think about password security is changing as other authentication methods become more popular.

Password security remains a Hydra-esque challenge for enterprises. Require users to change their passwords frequently, and they wind up selecting easy-to-remember passwords. Force users to use numbers and special characters to select a strong password and they come back with  passwords like Pa$$w0rd.

[ 18 surprising tips for security pros. | Discover how to secure your systems with InfoWorld’s Security Report newsletter. ]

Fortunately, the number online services supporting hardware security keys is growing, including the likes of GitHub, Google, and Facebook. Google even uses hardware security keys internally to secure its employee workforce.

The final version of NIST’s Digital Identity Guidelines (SP 800-63-3) also challenges the effectiveness of what has been traditionally considered authentication best practices, such as requiring complex passwords. When most credentials-based attacks no longer bother with brute-force methods, relying on password complexity doesn’t really help. When attackers can discover the actual password string via keyloggers, phishing, or other social engineering tactics, it doesn’t matter how complex the string is. Attackers can harvest credentials directly from the domain controller while moving laterally through the network, look up passwords from previously breached databases, or intercept passwords transmitted in plaintext.

While the public comment period for the password guidelines closed on May 1, NIST has not yet released the final version. It wound up extending the comment period for the parent document—on Digital Identity—for an additional 30 days while closing comments for the companion documents Enrollment & Identity Proofing (SP 800-63A), Authentication & Lifecycle Management (SP 800-63B), and Federation & Assertions (SP 800-63C) to get more details on how to make digital identity management “simpler for agency officials, mission owners, and implementers alike.” The NIST guidelines provide technical requirements for federal government agencies, but they act as a helpful blueprint for the private sector to follow as well.

Out with the old

Here’s what’s out in the new guidelines:

NIST recommends administrators leave out overly complex security requirements that make it harder for users to do their jobs and don’t really improve security, since frustrated users are more likely to look for shortcuts. For example, users struggle to memorize large numbers of passwords—the average user accesses more than 40 accounts—so they may either write down passwords, which defeats the purpose of having a “secret” password; reuse passwords, which makes it easier to break into accounts; or use variations of existing passwords, which makes it easier for attackers to guess the patterns.

“The username and password paradigm is well past its expiration date,” said Phil Dunkelberger, CEO of Nok Nok Labs. “Increasing password complexity requirements and requiring frequent resets adds only marginal security while dramatically decreasing usability. Most security professionals will acknowledge that while such policies look good on paper, they put a cognitive load on end users, who respond by repeating passwords across sites and other measures to cope that dramatically weaken overall security.”

While it’s true there are other ways to get passwords, brute-force attacks still exist, so don’t give up on complex passwords yet. Enterprises should encourage employees to use a password manager and not try to remember passwords. Even with recent issues found in popular password managers, these applications remain the best tool for creating and storing unique and strong passwords.

In with the new

Now, here’s what’s in the new guidelines:

Password managers only solve the password challenge; they don’t address the overall authentication problem when attackers already have the password. NIST also recommends adding another line of defense by turning on multifactor authentication. Attackers typically don’t have multiple proofs of identity, such as the user’s mobile device or some kind of physical token, they wouldn’t be able to break in even with a password.

However, NIST warned against relying on sending one-time passwords via SMS messages as a form of two-factor or multifactor authentication. SMS can easily be intercepted, so NIST suggests using software-based one-time-password generators, such as apps installed on mobile devices.

Biometrics are also gaining popularity, especially as more user devices come equipped with fingerprint readers. For example, the Samsung Galaxy S8 has both a fingerprint scanner and an upgraded retinal scanner that is currently used for unlocking the device. The scanner could likely be used as a second factor authentication method for online services that decide to adopt retinal scanning. There are rumors that LG G6 will have facial recognition software that could be used to unlock devices.

Microsoft announced plans to replace passwords with a smartphone-based authentication method. Instead of the standard two-step verification, where users first enter a password and then enter a PIN sent to their mobile device, the new “phone sign-in” method will require users to use the device to sign in with a PIN or user the fingerprint scanner to authenticate.