What’s a Good Password? NIST says One that hasn’t been stolen

In-brief: what’s a good password? According to new guidelines from NIST: one that hasn’t already been stolen by hackers.

What’s a good password? According to new guidelines from NIST: it’s one that hasn’t already been stolen by hackers.

Draft guidance from NIST on the creation of digital identities (NIST SP800-63b) released this week said that companies should vet any new passwords against lists of common passwords and those that have already been leaked as a result of data breaches. Exempting such passwords from the options available to users will improve account security more than arbitrary rules designed to create random-looking passwords, NIST said.

The recommendation is just one among a raft of changes embedded in the NIST draft guidelines, which provide technical requirements for Federal agencies implementing digital identity services. The guidelines are focused on the challenge of remote authentication with government systems and the need to verify the identity of those seeking access to federal systems. However, NIST guidelines heavily influence private practice, as well.

Together, the recommendations offer counter-intuitive, but well supported advice on how to coach users to select more secure passwords to protect their accounts. For example, NIST’s guidelines suggest abandoning length and complexity requirements for passwords, such as requiring passwords of a certain length and mandating the use of letters, numbers and special characters in the password. Such practices are the bedrock of most current password regimes, but NIST said they often work at cross purposes with efforts to protect accounts.

“Length and complexity requirements for passwords “significantly increase the difficulty of memorized secrets and increase user frustration,” NIST said in its guidelines. In response, “users often work around these restrictions in a way that is counterproductive.”

The theft and leaking of billions of user passwords from sites such as LinkedIn has provided a wealth of resources for researchers and academic interested in user password practices. They can also help keep new passwords secure, by providing organizations with a ready measure of password security, NIST said.

Any new password should be compared against “a list that contains values known to be commonly used, expected, or compromised,” NIST said.

That includes passwords obtained from prior breaches, dictionary words, repetitive sequences or words or digits and context-specific words like the name of the website or the user’s name. Prospective passwords that fail any of those tests should be rejected, and the user required to choose a different value, NIST said.

Both private sector and academic studies have reached similar conclusions about what makes a secure passwords, while raising doubts about the use of features like password expiration dates and enforced entropy, or randomness.

NIST’s new guidelines, calls for a range of other measures that have proven effective in increasing password security, as well. Secure hashed storage of password values can prevent offline “cracking” of stolen password data. Rate throttling can prevent online guessing (or “brute-force”) attacks without requiring additional complexity for the password, NIST wrote.

Password theft is a common element in most online attacks. Cyber criminals use targeted “phishing” attacks against users to steal both user names and passwords to protected networks and IT assets. In addition, password reuse between different web sites means that one set of user credentials may provide access to more than one site or resource. Offline, password cracking attacks also make short work of password hashes, making short, common passwords easy game.

[Read more Security Ledger coverage of password security.]

Endemic password insecurity has prompted reconsideration of the password as a security feature by top firms. In April, Google wrote about its new approach to security called “tiered access” that de-emphasizes traditional passwords in favor of more flexible and accurate means of proving someone’s identity. Google evaluates requests for access from its 60,000 employees by assessing the user’s individual and group permissions, the level of trust extended to the employee based on their role and the state of the device from which the request was generated.

“Forced resets coupled with prior requirements to force customers to generate passwords based on a random assortment of specific characters, have actually degraded password security for consumers, not made it better,” said Robert Capps, the Vice President of the firm NuData.

Site owners should evaluate a multi-layer authentication framework that can leverage the user’s natural behaviors combined with behavior analytics and passive biometrics, he said.