top of page
Search

NIST's updated password guidelines


NIST has updated its password guidelines, indicating a preference for phrases, over alphanumeric codes which include special characters. As the Wall Street Journal has reported, a four word phrase can be harder to crack than a word that substitutes special characters in place of letters. The phrase, "correct horse battery staple" would take 550 years to crack, but the password, "Tr0ub4dor&3" would only take three days.

The June 2017 NIST Special Publication 800-63-3, "Digital Identity Guidelines" , makes clear that it's not entirely random alphanumeric sequences which are vulnerable, but the predictable, shorter passcodes chosen by users. ". . . users attempting to choose memorable passwords will often select from a very small subset of the possible passwords of a given length, and many will choose very similar values. As such, whereas cryptographic keys are typically long enough to make network-based guessing attacks untenable,user-chosen passwords may be vulnerable, especially if no defenses are in place."

The guidelines specify that Multifactor authentication should consist of 2 of 3 factors:

1. Something you know (e.g., a password)

2. Something you have (e.g., an ID badge or cryptographic key).

3. Something you are (e.g., biometric data)

Additional information on how to set passwords is given in NIST Special Publication 800-63B. It specifies that passwords should not be permitted which:

1. Passwords obtained from previous breaches.

2. Passwords with repetitive characters (e.g., aaa222)

3. Dictionary words

4. Context specific words (e.g, a variation on the user name).

NIST also specifically recommends making a password meter available to the user, so she or he can check the strength of a password.

Importantly, NIST does NOT recommend users be forced to change their passwords after a fixed interval. "Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator."

A user should be given permission to paste in passwords, but composition rules (e.g. prohibiting consecutive characters) are not favored.

As you can see, the authoritative guide specifies practices which differ from those implemented in many different systems.


Sean O'Shea has more than 20 years of experience in the litigation support field with major law firms in New York and San Francisco.   He is an ACEDS Certified eDiscovery Specialist and a Relativity Certified Administrator.

The views expressed in this blog are those of the owner and do not reflect the views or opinions of the owner’s employer.

If you have a question or comment about this blog, please make a submission using the form to the right. 

Your details were sent successfully!

© 2015 by Sean O'Shea . Proudly created with Wix.com

bottom of page