The National Institute for Standards and Technology (NIST) has released Special Publication 800-63B, titled Digital Identity Guidelines. The document outlines major changes to the ways password security should be approached, and leaves a lot of what network administrators and software developers have implemented recently to be wrong. Today, we’ll take a look at the publication, and try to make sense of the sudden change of course.
What Does NIST Do?
NIST is a non-regulatory federal agency that works under the umbrella of the U.S. Department of Commerce. Its mission is to promote U.S. innovation and competitiveness by advancing uniform measurement standards. Many NIST guidelines become the foundation for best practices in data security. As a result, any publication they produce having to do with cyber or network security should be considered.
Reviewing Some Key Points
NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations
An organization can’t be sure that its passwords are secure without some kind of assessment of its security and privacy controls, which is especially true when the stakes are as high as they are for federal organizations. This is why NIST has created these guidelines--to provide a resource and help make these assessments as consistent as possible, by:
- Establishing assessments of security and privacy controls that can easily be replicated and compared against historical data.
- Increasing appreciation for, and understanding of, the risks to assorted targets, assets, individuals, and the country through the use of federal information systems.
- Enabling cost-effective assessments of security and privacy controls to help gather data on the efficacy of controls.
- Creating better data and information to be used by officials in support of decision-making and compliance purposes.
NIST 800-171 - Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
It isn’t uncommon for government bodies to lean on private organizations to help fulfill their goals, which means that highly sensitive information that belongs to the federal government, but is stored inside an external system has to be protected. This controlled unclassified information (CUI) needs to remain confidential, and an extensive list of guidelines and requirements outline a path for organizations to take, broken up into different sections:
- Access Control
- Awareness and Training
- Audit and Accountability
- Configuration Management
- Identification and Authentication
- Incident Response
- Media Protection
- Personnel Security
- Physical Protection
- Risk Assessment
- Security Assessment
- System and Communications Protection
- System and Information Integrity
NIST 800-63 - Digital Identity Guidelines
These new password guidelines are a swift about-face in strategy as compared to previous NIST suggestions. Instead of a strategy of ensuring that all passwords meet some type of arbitrary complexity requirements, the new strategy is to create passwords that are easier and more intuitive. Here are some of the highlights:
- Passwords should be compared to dictionaries and commonly-used passwords
- Eliminate or reduce complexity rules for passwords
- All printable characters allowed, including spaces
- Expiration of passwords no longer based on time password has been in use
- Maximum length increased to 64 characters.
Why is NIST Adding These Guidelines?
Basically, the new guidelines recommend longer passphrases to the complex passwords as they are hard for people to remember, and even with complexity rules in place, it was becoming increasingly easy for algorithms to crack passwords (as demonstrated in the webcomic XKCD, pictured here).
As stated before, NIST is not a regulatory organization, but federal agencies and contractors use NIST’s information in order to set up secure computing environments in which to display, store, and share sensitive unclassified information.
In making these changes to password strategy, NIST is now considering the fact that many industry professionals already knew: a password you can’t remember may be secure, but if you have to rely on insecure methods to utilize it, it’s not really that effective at mitigating risk. NIST now looks at the passphrase strategy, along with two-factor authentication as the go-to risk management strategy. SMS-based two-factor authentication has come under scrutiny, as it has contributed to multiple hacks in recent times.
NIST also explicitly commands that network administrators should be mindful to forbid commonly used passwords; effectively creating a blacklist of passwords. The new guidelines also suggest that users shouldn’t be using the password hints or knowledge-based authentication options; a common practice among banking and FinTech applications to this day. We’ll see if there is a strategic alteration in these companies’ practices as the new NIST guidelines become best practices.
If you are looking for more information about best password practices and data security, the IT experts at KT Connections are here to help. Call us today at 605-341-3873 to have your password strategy assessed by the professionals.
Comic by XKCD.