This article was originially written in the summer of 2020 and has since been updated to reflect the latest password ‘best practices’
The password. Such a simple concept, yet it’s one area where we consistently see weaknesses on the personal and enterprise levels. It doesn’t help that the NIST guidance on passwords has changed radically over time. The days of password complexity and frequent forced changes are coming to an end – and for good reason. RIght now, we’re in a period of password rule flux where the NIST is recommending one thing and governing bodies like the PCI are still holding fast to old rules. On top of that, they’re basically all wrong when you consider cracking into a password from an attacker’s standpoint. Complex or simple, your 8 character password can be outright guessed or simply brute forced in a day under certain circumstances.
If you have a minimum 8 character ‘complex’ password as your policy, you’re going to get people creating passwords like ‘F@ll2021!’ or the dreaded ‘P@ssw0rd01’. The user then rotates their password according to policy, resulting in ‘Spr1ng2021!’ or ‘P@ssw0rd02’. Think this is hypothetical? You’d be wrong. The larger your organization, the more likely that we (or a hacker) will guess our way in on a penetration test with passwords like that. In fact, someone reading this probably just gulped because we guessed their password.
Current NIST Recommendations
- User-generated passwords should be at least 8 characters in length
- Machine-generated passwords should be at least 6 characters in length
- Users should be able to create passwords up to at least 64 characters
- All ASCII/Unicode characters should be allowed – including emojis and spaces
- Prospective passwords should be compared against password breach databases and rejected if there is a match
- Passwords should not expire
- Users should be prevented from using sequential or repeated characters (ex. “1234” or “aaaa”)
- Two-factor authentication (2FA) or multifactor authentication (MFA) should not use SMS for codes
- Knowledge-based authentication (KBA) should not be used (ex. “What street did you grow up on?”)
- Users should be allowed 10 failed password attempts before the account is locked
- Passwords should not have hints
- Complexity requirements (special characters, numbers, uppercase, etc.) should not be used
- Context-specific words, such as the name of the service, the user’s username, etc. should not be permitted
The NIST is still recommending minimum 8 character passwords, but they have now recommended eliminating the complexity requirements and the password expiration requirement as well. The thinking behind this is due to the examples listed above. The old rules didn’t really have the desired effect and may have in fact made things worse by making user behavior more predictable to attackers. The lesson learned is that users will find a way to make passwords they can easily remember.
In addition to eliminating the complexity and expiration, NIST now recommends prohibiting commonly used passwords (ex. ‘P@ssw0rd1’ wouldn’t be allowed). That sounds like a great idea but how do you do that/ Right now there aren’t a whole lot of options to automatically do this. The site Have I Been Pwned has an API to search for passwords stolen in breaches but most companies are probably not going to do that themselves anytime soon. Users can check it themselves but if you tried to make that a policy it would be voluntary and unenforceable.
The Bottom Line
So what’s the bottom line on passwords? What should you do? Well to start, make your minimum password length 15-20 characters because your 8 character passwords can be guessed or cracked quickly. Next, eliminate password reuse with the use of a password manager. This will generate unique random passwords for each login. Secure your password manager with a pass phrase, a memorable nonsensical sequence of words. Don’t use kids or pets names, something random you can easily remember, IE “Mary Had a Mastodon EIEIO”. Pass phrases are almost impossible to crack with current technology and as long as they’re not connected to anything relating to you they’re pretty much impossible to guess. IN addition, use Two Factor (2FA) or Multifactor authentication. It really is the single most powerful tool in authentication now and it’s readily available and easier to deploy than ever. Lastly, have your password quality tested in total by having your company passwords run through a cracker by your security partner, service provider, or penetration tester. It’s a fairly straightforward process and quickly highlights weak or out of compliance passwords.