top of page

NIST's updated password guidelines

NIST has updated its password guidelines, indicating a preference for phrases, over alphanumeric codes which include special characters. As the Wall Street Journal has reported, a four word phrase can be harder to crack than a word that substitutes special characters in place of letters. The phrase, "correct horse battery staple" would take 550 years to crack, but the password, "Tr0ub4dor&3" would only take three days.

The June 2017 NIST Special Publication 800-63-3, "Digital Identity Guidelines" , makes clear that it's not entirely random alphanumeric sequences which are vulnerable, but the predictable, shorter passcodes chosen by users. ". . . users attempting to choose memorable passwords will often select from a very small subset of the possible passwords of a given length, and many will choose very similar values. As such, whereas cryptographic keys are typically long enough to make network-based guessing attacks untenable,user-chosen passwords may be vulnerable, especially if no defenses are in place."

The guidelines specify that Multifactor authentication should consist of 2 of 3 factors:

1. Something you know (e.g., a password)

2. Something you have (e.g., an ID badge or cryptographic key).

3. Something you are (e.g., biometric data)

Additional information on how to set passwords is given in NIST Special Publication 800-63B. It specifies that passwords should not be permitted which:

1. Passwords obtained from previous breaches.

2. Passwords with repetitive characters (e.g., aaa222)

3. Dictionary words

4. Context specific words (e.g, a variation on the user name).

NIST also specifically recommends making a password meter available to the user, so she or he can check the strength of a password.

Importantly, NIST does NOT recommend users be forced to change their passwords after a fixed interval. "Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator."

A user should be given permission to paste in passwords, but composition rules (e.g. prohibiting consecutive characters) are not favored.

As you can see, the authoritative guide specifies practices which differ from those implemented in many different systems.

bottom of page