Changes to NIST Password Recommendations
One of the biggest vulnerabilities to a user’s private data is weak authentication mechanisms, most commonly weak passwords and poor password management requirements. Even when the traditional ‘strict’ password policies are enforced (8+ characters, alpha-numeric requirements, special character requirement, and password lifetimes), users often choose predictable and therefore easily crack-able passwords. For instance, many times a user will use a common name or word, and to satisfy these requirements, will replace letters with numbers and add a special character at the end, e.g. “Pa$$w0rd!” or “Yellow86!” Nefarious hackers can easily use what are called variant ‘dictionary’ attacks to very quickly crack these types of passwords in hours if not minutes.
The National Institute of Standards and Technology (NIST) has published a new set of recommendations for password best practices as part of their Publication 800-63 https://pages.nist.gov/800-63-3/sp800-63b.html that now do away with some of the ‘old school’ password complexity and lifetime requirements. This may come as music to many users’ ears, since these outdated policies have become a great annoyance to many. Within the publication, one of the most important set of recommendations for memorized secrets (a.k.a. passwords) are as follows:
- Allow at least 64 characters in length to support the use of passphrases. Encourage users to make memorized secrets as lengthy as they want, using any characters they like (including spaces), thus aiding memorization.
- Do not impose other composition rules (e.g. mixtures of different character types) on memorized secrets.
- Do not require that memorized secrets be changed arbitrarily (e.g., periodically) unless there is a user request or evidence of authenticator compromise.
As you can see, NIST is now recommending as best practice that systems require ‘passphrases’ instead of ‘passwords.’ This is a very important distinction; memorized passwords are often 8, maybe 12 characters long. Truly random ones are difficult to remember. However, passphrases are typically 32 characters or longer, and are comparatively easy to remember. For example, try remembering “jp4@d_8K” or in contrast, “My dog Rufio likes to eat lasagna.” This passphrase is 35 characters long, and would be nearly impossible to crack using traditional brute force methods simply due to its length. By contrast the the 8 character password could be eventually cracked by randomly trying 8 character strings.
It is also important to notice that NIST is specifically recommending AGAINST forcing users to regularly/periodically change passwords. In practice, most users simply change the last character of their password to satisfy this requirement, or add another character. So even if a compromise is suspected, the ‘changed’ password could be easily cracked based on the previous one.
GlobalCerts’ SecureMessenger™ system has always distinguished itself from the competition by providing recipients with an easy to use, yet secure way of registering and authenticating themselves. Our system uses a quick, one-page registration process for external users. They simply enter a secret passphrase, re-enter to verify it was not mis-typed, and also enter a corresponding ‘hint’ that will remind them of their passphrase. When they receive a secured email, they will receive a unique URL link to their email. To view the secured message, an individual must have both this unique URL, and the secret passphrase. The hint is provided to allow the user an easy way to remember what the content or subject of the passphrase is. Additionally, brute-force attacks are mitigated because the entered passphrase is used in a computationally intense decryption process.
By using a passphrase field that allows for the input of spaces, punctuation, etc. and does not restrict the number of characters, GlobalCerts provides our SecureMessenger users a way to provide an easy to remember, but also highly secure, authentication mechanism.
Sources:[SP 800-63] NIST Special Publication 800-63B, Digital Identity Guidelines Authentication and Lifecycle Management, June 2017, http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63B.pdf.