A comment period has closed on NIST’s new password guidelines for federal agencies that challenge the effectiveness of traditional behaviors around authentication such as an insistence on complex passwords and scheduled resets.
As more tech companies move away from passwords and toward multistep and multifactor authentication, and physical keys, NIST’s guidance accelerates the conversation for the U.S. government.
The document also proposes that passwords be checked against blacklists of unacceptable credentials, including passwords already exposed in breaches, dictionary words, and repetitive or sequential characters. The overall marching orders, however, are to relieve user frustration caused by decades of memorizing an overbearing number of passwords to get your job done.
“Mitigations such as blacklists, secure hashed storage, and rate throttling are more effective at preventing modern brute-force attacks,” the guidelines said.
The final draft is ready for approval, and it’s especially timely after brutal 2016 when cache after cache of stolen credentials was made public, disclosing more than one billion credentials. The disclosures elevated debate to the highest levels over password reuse and the effectiveness of current authentication schemes. As more credentials were leaked, it became abundantly clear that passwords were ready to be put out to pasture as consumers and business users alike have to manage too many credentials and re-use them across internet-based services.
“Users need to remember these passwords and if they’re overly complex or if they change too frequently, users will resort to writing them down,” said Scott Petry, CEO of Authenticat8, developers of a virtual browser called Silo. “That defeats the secret nature of the password. Or they’ll derive slightly different passwords on a common them and reuse them at set intervals. This creates a false sense of integrity.”
Yahoo alone disclosed that nation-state actors and cybercriminals had accessed account information for more than 1 billion accounts, while LinkedIn, Twitter, Daily Motion, iMesh, VK, MySpace and many others reported lost credentials and in many cases forced a password reset for users. Compounding the problem is the fact that the average number of services registered to one email account for 25-34-year-olds is more than 40, according credit-checking firm Experian. And on average, users had only five different passwords for those accounts, Experian reported last year.
“Many attacks associated with the use of passwords are not affected by password complexity and length. Keystroke logging, phishing, and social engineering attacks are equally effective on lengthy, complex passwords as simple ones,” NIST said.
The rationale for frequent password changes, or certain length and complexity requirements, is the belief that this would make credentials more resistant to brute-force attacks, password-guessing attacks, and dictionary attacks. NIST said that minimum password length and complexity should depend on the threat model being addressed. Throttling the number of guesses, for example, is a substantial security measure against online attacks, while recommending salting and hashing to slow down offline attacks.
“Glad to know that NIST understands that passwords are a nuisance and that adding more complexity and rules doesn’t make the lives of users any easier. These policies only increase the calls to the help desk for password recovery,” said neoEYED CEO Allesio Mauro. “Unfortunately, more and more frequently, the problem is that passwords are stored in the server in a wrong way or the connection the users adopt is not safe. I believe today that, whichever password you are actually using, is already in the hands of the hacker (or soon to be) and soon to be encrypted, so why even care about so many policies?”