Proposed NIST Password Guidelines Soften Length, Complexity Focus

NIST’s latest password guidelines focus less on length and complexity of secrets and more on other measures such as 2FA, throttling, and blacklists.

A comment period has closed on NIST’s new password guidelines for federal agencies that challenge the effectiveness of traditional behaviors around authentication such as an insistence on complex passwords and scheduled resets.

As more tech companies move away from passwords and toward multistep and multifactor authentication, and physical keys, NIST’s guidance accelerates the conversation for the U.S. government.

The document also proposes that passwords be checked against blacklists of unacceptable credentials, including passwords already exposed in breaches, dictionary words, and repetitive or sequential characters. The overall marching orders, however, are to relieve user frustration caused by decades of memorizing an overbearing number of passwords to get your job done.

“Mitigations such as blacklists, secure hashed storage, and rate throttling are more effective at preventing modern brute-force attacks,” the guidelines said.

The final draft is ready for approval, and it’s especially timely after brutal 2016 when cache after cache of stolen credentials was made public, disclosing more than one billion credentials. The disclosures elevated debate to the highest levels over password reuse and the effectiveness of current authentication schemes. As more credentials were leaked, it became abundantly clear that passwords were ready to be put out to pasture as consumers and business users alike have to manage too many credentials and re-use them across internet-based services.

“Users need to remember these passwords and if they’re overly complex or if they change too frequently, users will resort to writing them down,” said Scott Petry, CEO of Authenticat8, developers of a virtual browser called Silo. “That defeats the secret nature of the password. Or they’ll derive slightly different passwords on a common them and reuse them at set intervals. This creates a false sense of integrity.”

Yahoo alone disclosed that nation-state actors and cybercriminals had accessed account information for more than 1 billion accounts, while LinkedIn, Twitter, Daily Motion, iMesh, VK, MySpace and many others reported lost credentials and in many cases forced a password reset for users. Compounding the problem is the fact that the average number of services registered to one email account for 25-34-year-olds is more than 40, according credit-checking firm Experian. And on average, users had only five different passwords for those accounts, Experian reported last year.

“Many attacks associated with the use of passwords are not affected by password complexity and length. Keystroke logging, phishing, and social engineering attacks are equally effective on lengthy, complex passwords as simple ones,” NIST said.

The rationale for frequent password changes, or certain length and complexity requirements, is the belief that this would make credentials more resistant to brute-force attacks, password-guessing attacks, and dictionary attacks. NIST said that minimum password length and complexity should depend on the threat model being addressed. Throttling the number of guesses, for example, is a substantial security measure against online attacks, while recommending salting and hashing to slow down offline attacks.

“Glad to know that NIST understands that passwords are a nuisance and that adding more complexity and rules doesn’t make the lives of users any easier. These policies only increase the calls to the help desk for password recovery,” said neoEYED CEO Allesio Mauro. “Unfortunately, more and more frequently, the problem is that passwords are stored in the server in a wrong way or the connection the users adopt is not safe. I believe today that, whichever password you are actually using, is already in the hands of the hacker (or soon to be) and soon to be encrypted, so why even care about so many policies?”

Suggested articles


  • brian on

    What someone in the security business actually applying simple logic and human behaviour for once will miracles never cease! Long passwords and resetting on a regular basis is guaranteed to get users to write them down - Defeating the object of security. Simply throttling number of guesses etc., is the most effective way of preventing brute force attacks even with relatively simple passwords or those on a list. Even if the password is relatively simple or on a list, three strikes and out makes it hard to get in with brute force.
    • Matt on

      Agreed, Brian, but another problem arises when there are interfaces exposed to the public for long periods of time (such as IMAP) that bots can use to attempt to authenticate at a low enough rate that it does not trigger any lockouts or throttling, and these attempts can come from multiple IPs worldwide so it's not feasible to simply block the offending IP. Thus, a simple or common enough password which does not change over a long period of time could eventually be compromised with such an attack. I. for one, support the company-wide mandated use of a password manager with AD integration (such as LastPass Enterprise) that can ensure people's passwords are not on blacklists, can help ease the burden of generating sufficiently random passwords, and can solve the problem of securely sharing passwords among IT personnel)
  • Chester on

    Users can use a random password generator - I'm sure I have well over a hundred different ids and passwords and remember none of them - the creds including the userid are in my "password" safe. 2FA combined with simple passwords is pretty secure.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.