As we close out 2021, we at Security Boulevard wanted to highlight the most popular articles of the year. Following is the fifth in our series of the Best of 2021.
In 2017, the National Institute of Standards and Technology (NIST) released NIST Special Publication 800-63B Digital Identity Guidelines to help organizations properly comprehend and address risk as it relates to password management on the part of end users. Nearly every year since, NIST has undertaken to update or underscore these guidelines as security experts continue to glean more insights into the true effectiveness of passwords resulting from the analysis of breach corpuses and applying insights into how humans tend to approach the formation of secrets.
Resistance to Still Relevant Requirements
As human beings, habits, perceptions, and established ways of thinking tend to be very difficult to break. One advantage of the information age is that access to exponentially growing datasets around passwords has provided true and verifiably reliable insights into what constitutes effective password management.
Initial guidelines released by NIST around password management surprised many organizations. In response, many organizations, in some disbelief, have remained resistant to actually accepting and adopting these changes. It cannot be over emphasized, again based on analysis of raw data and expert analysis, that insisting on past approaches and methodologies around password management actually exposes organizations to increased risk of compromise and infiltration.
If your organization remains resistant, this article is intended to help organizational leaders rethink and adopt all NIST password guidelines by:
- Submitting a Top 3 NIST Password Recommendations for 2021
- Offering best practices around minimum password length and password policies
- Recommending strategies for automation of NIST Password Requirements for 2021
2021 Updates and Changes To Password Guidelines
For 2021, NIST hasn’t officially released updates to their password guidelines as they have in past years. That’s why it’s important to put recommendations and best practices together which organizations and security leaders can use for guidance for 2021.
2021 NIST Password Recommendations
The following are Top 3 NIST Password Recommendations for 2021:
NIST 2021 Recommendation 1: Remove Periodic Password Change Requirements
One of the past approaches that has been the hardest for organizations to lay aside has been past policies around password expiration intended to drive frequent password changes. The thinking has been that frequent changes reduced risk of compromise based on sheer probability of compromise over time.
But analysis of typical end user behaviors has led to a much different conclusion. One of the primary conclusions being that forced password changes merely results in forcing past bad behaviors around password management to occur more often without really addressing risk in any significant way. Individuals simply construct another bad, easily guessed password that is easily cracked or create their own transformations which are easily reconstructed by criminals. For example, adding a digit to the end of the password and merely iterating that digit each time a password expiration takes place.
Forcing frequency also generates more data around how human derived passwords are created, feeding better predictability. Criminals now have the ability to leverage predictive analytics and artificial intelligence in such a way that aggregated password intelligence over a confirmed identity profile can lead to greater accuracy in predicting likely new passwords especially in cases where incentive exists to target an individual (such as a C-level executive, a government official, or a celebrity, etc.)
The bottom line is that the authors of NIST have rightly ascertained that frequent password changes have little actual effect on lowering the risk profile of neither individuals nor organizations. Organizations should therefore resolve in 2021 to dispense with frequent password changes unless some evidence of compromise exists.
NIST 2021 Recommendation 2: Require Length But Remove Password Complexity
Another approach to password management widely perceived to address risk and force better security around password management has been to increase and force requirements around complexity. Examples being requiring mixed casing and use of symbols and digits.
When considering possible combinations of letters, numbers, and symbols available to compose a secret, this approach seems reasonable. But yet again, analysis of breach corpuses as well as analyzation of human behavior demonstrates that given high complexity requirements, those requirements will simply be addressed in a very predictable way in order to minimally satisfy such requirements. The number of possible character combinations theoretically remain across the length of a secrets formulation, but the probability that forced characters will be randomly distributed throughout the length on a human derived secret remain very low.
Mathematically speaking, the single most effective variable in actually addressing the strength of secrets is length. Complexity over a very short password is insignificant and, amazingly, enforcing complexity over a longer password does almost nothing to improve the strength of the secret where human derived secrets typically follow a predictable pattern.
Instead, complexity simply feeds into user frustration and predictable patterns driven by the complexity requirements imposed tend to easily emerge. In cases where at least one uppercase character is required, in a very high number of cases, that character will be the first character for a human derived password. If symbols or numbers are required, those will tend to be appended to the end of a password merely to satisfy the requirement.
The downstream effect of the “forced complexity” misconception and approach often results in:
- More forgotten passwords, since character complexity is difficult to remember
- Predictable patterns of formulation to minimally meet requirements
- “Complex” passwords saved in an insecure manner, to compensate for memory
- Tendency to use the same “complex” password across multiple accounts
- An increase in costs borne by the organization to support more frequent password resets due to forgotten passwords
All of these pitfalls are driven almost solely by complexity requirements that, in the end, are difficult to remember and end up not really enhancing the strength of secrets formulation at all. According to NIST, and rightly so, the single most important factor in ensuring strong secrets formulation is length and requiring nothing else.
NIST 2021 Recommendation 3: Implement Screening of New Passwords
Finally, one of the best guidelines set forth by NIST and unfortunately one of the most ignored is screening around password resets against commonly used, expected or compromised passwords:
When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised. For example, the list MAY include, but is not limited to:
Passwords obtained from previous breach corpuses.
- Dictionary words.
- Repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’).
- Context-specific words, such as the name of the service, the username, and derivatives thereof.
NIST Special Publication 800-63B, Section 5.1.12, Memorized Secret Verifiers
While NIST only recommends leveraging commonly used, expected, or compromised credentials as possible standalone options, our recommendation for this category includes using all of these options in tandem to produce the most robust and comprehensive approach in mitigation of risks associated with password management.
In fact, eliminating the use of dictionary words, repetitive/sequential characters and context-specific words have been a part of most password policies for decades and for good reason. These are sound practices that should remain in place.
What many organizations have failed to implement, and which now constitutes quite possibly the most important choices in terms of password change intelligence augmentation is comparing password resets to known compromised credentials, which still are known to be highly effective in gaining access to corporate assets.
In addition to the screening of new passwords, and in light of the guideline to remove periodic password change requirements (e.g., passwords no longer expiring), organizations also would be strongly encouraged to passively scan existing repositories of passwords for weak, commonly used, and compromised passwords as well, until such time as an in-place new password screening policy would have affected every password in the organization.
NIST 2021 Best Practices
In addition to the password recommendations given above, here are some best practices around passwords end users and organizations should consider for 2021:
Minimum Password Length
Best practice around password lengths is actually rather difficult to offer in terms of providing a single static number. This is attributable to sometimes greatly varying capabilities around platforms, especially of a legacy nature.
For starters, according to NIST Special Publication 800-63B, Section 188.8.131.52, Memorized Secret Verifiers, a base minimum password length is given as 8 characters. Most systems will accept 8 characters as a minimum password length, including most legacy mainframe solutions (which in some cases may also equate to the maximum characters allowed as well).
The next scenario to address for best practices around password lengths has to do with derivation. If the password for some reason needs to be human derived, then at some point longer lengths defeat the purpose, as the longer the length, the greater the likelihood that the password will be forgotten. For human derived passwords – which overall, is do not recommended here as best practice (see Use A Password Manager below) – lengths between 15 and 20 should be used, if possible. Some consideration can be made for the value of the data that sits behind the protection – such as access to a Web-based card making application where no Personal Information (PI) is being stored (either in the user profile or in the cards/data created), allowing for a password of less than 15 characters.
But for the most part, where possible, as a general best practice, when considering password lengths, end users should strive to:
- Create passwords no less than 8 characters on platforms that have restrictions around lengths, especially maximum lengths, such as legacy platforms.
- Create passwords between 15 to 20 characters utilizing self-imposed password complexity when passwords are human derived.
- Create passwords of no less than 20 characters when a password manager is being leveraged.
In the end, it’s our strong belief due to many known human limitations, that any advice provided around “How to create a secure (human derived) password” is hopelessly inadequate and bad guidance, however well-meaning or carefully thought out and constructed. Historically speaking, mountains of evidence, expert analysis, and datasets derived from breach corpuses demonstrate that for all the so-called “expert advice” given over the years around this, humans simply aren’t good at deriving passwords and never will be. So why do “experts” still insist on providing this kind of guidance in the face of such consistent, obvious failure in outcome?
Read on to Use A Password Manager for more information as to why human derived passwords should completely be eliminated to the extent possible and password managers used as a best practice.
Password Policies & Password Policy Management
Organizational password policies are where the rubber meets the road, so to speak, around NIST guidelines. What are the best practices around password policies in light of the NIST guidelines and the recommendations for 2021 mentioned here?
- Generally speaking, accept the default policy for your platform. Again, as mentioned, most of the policies for most platforms have been finely tuned over a number of years and contain good, safe, protective settings. Default Windows password policies, in particular, can and should be safely accepted.
- Relax settings around complexity. As recommended above, once the default password policy has been accepted, retrofit as necessary the recommendations around complexity. That is, remove complexity requirements in the policy.
- Remove password expirations. Again, as recommended above, remove password expirations. If password expirations cannot be removed, then set expirations out as far as possible to at least one year.
- Review password length. Review the password length and make sure reasonable lengths are being required as per the best practices set forth above.
Finally, where possible, with so many varied systems to manage, it can greatly enhance the manageability, scale, accuracy, and agility of an organization to manage all the password policies for all platforms in the organization from a central IAM/IGA platform dedicated to mass password policy management across heterogeneous platforms.
Use A Password Manager
Perhaps no guidance around passwords can top recommended best practices that end users adopt and leverage a good password/secrets manager in lieu of deriving passwords themselves. Guidance and advice abound on “How to create a secure password” that is human derived. And yet, for all the advice and clever guidance, humans fail miserably at creating good, lengthy, complex, secure passwords.
The need to create good, lengthy, complex, secure passwords literally screams “a machine should do this” and indeed, this is realistically the only reasonable approach.
For the best practice of using a password manager, it’s highly recommended to:
- Leverage a leading password manager to generate and securely store, good, lengthy, complex, secure passwords. That is, the password manager itself must provide good security.
- Set the policy in your password manager to generate complex passwords using letters of varying case, numbers, and symbols where allowed.
- Set the policy in your password manager to generate passwords of length 20 or greater.
- Passwords of length greater than 64 characters are generally not required nor recommended as extremely large passwords can impact the time it takes to properly hash these passwords.
Automating NIST Password Requirements
For automation of NIST Password Requirements the following approaches are recommended:
- For password policies, follow the recommended best practices in this guide for setting password policies. Password policy engines, both default, and custom, will take care of automation around the creation of proper passwords with refreshed policies around NIST guidance in place.
- Adopt and install a secured, centralized, cloud accessible IAM/IGA password policy and password reset engine that is capable of managing and resetting passwords in a massive heterogeneous, mixed on-premise, and cloud or multi-cloud environment.
- Leverage and integrate with a commercial compromised credentials solutions provider to safely and securely:
- Actively detect and reject compromised credentials at the time of new password creation.
- Passively scan all password repositories for compromised credentials and implement corrective action (typically forced password resets) until all compromised credentials have been eliminated via intelligent new password creates as per (a) above.
Tying It All Together
The initial release of NIST Special Publication 800-63B, Digital Identity Guidelines in 2017 surprised many organizations. Organizations have remained reluctant to implement these changes as the recommended guidelines were a surprising reversal of long-standing, universally accepted approaches to password management.
For 2021, in lieu of the fact NIST has not yet released any updates to these recommendations, this article presents a Top 3 NIST Password Recommendations, Best Practices, and succinct guide to Automating NIST Password Requirements to help guide organizations and incentivize senior cybersecurity leaders to implement, refresh, or update their approaches to password creation, password management, and password security to better secure their organizational environments.
About The Authors
Stan Bounev is the founder and CEO of VeriClouds. He is on a mission for solving identity fraud. Stan has over 20 years of product management experience in technology and financial services organizations solving a multitude of problems in identity and cybersecurity.
VeriClouds is a cybersecurity and data company that provides user context services to secure systems’ access and minimize account takeover attacks.
Chris Olive is a seasoned and passionate cybersecurity strategist, evangelist, consultant, trusted advisor, and hands-on technologist with over two decades of cybersecurity consulting experience in the US/UK governments, the Fortune 500, and large international companies all over the world. Chris has primary expertise in Identity Access Management and Identity Governance & Administration along with professional experience and expertise in Ethic Hacking & Penetration Testing, Secure Development, and Data Security & Encryption. Chris is a frequent writer, speaker, and evangelist on a wide range of cybersecurity topics.
- NIST Special Publication 800-63: Digital Identity Guidelines, Frequently Asked Questions
- How Long Should My Passwords Be?
- Why Leverage A Commercial Compromised Credentials Solution?
The post NIST Password Guidelines 2021: Challenging Traditional Password Management appeared first on VeriClouds.
*** This is a Security Bloggers Network syndicated blog from Blog – VeriClouds authored by Stan. Read the original post at: https://www.vericlouds.com/nist-password-guidelines-2021-challenging-traditional-password-management/
NIST 800-53 (Moderate Baseline)
A minimum of eight characters and a maximum length of at least 64 characters. The ability to use all special characters but no special requirements to use them. Restrict sequential and repetitive characters (e.g. 12345 or aaaaaa).
Not surprisingly, NIST no longer recommends scheduled password changes. Instead, the NIST password guidelines essentially state that organizations should screen passwords against a list of passwords that are known to be compromised. If a password has not been compromised, then there is no reason to change it.What is one change made to the NIST SP 800 63B requirements for passwords? ›
Increase the length of passwords
NIST requires that all user-created passwords be at least 8 characters in length and all machine-generated passwords are at least 6 characters in length.
The five domains in the NIST framework are the pillars support the creation of a holistic and successful cybersecurity plan. They include identify, protect, detect, respond, and recover.What are four 4 best practices for passwords? ›
- Never reveal your passwords to others. ...
- Use different passwords for different accounts. ...
- Use multi-factor authentication (MFA). ...
- Length trumps complexity. ...
- Make passwords that are hard to guess but easy to remember.
- Complexity still counts. ...
- Use a password manager.
SP 800-53 works alongside SP 800-37, which was developed to provide federal agencies and contractors with guidance on implementing risk management programs. SP 800-53 focuses on the controls which can be used along with the risk management framework outlined in 800-37.What are the 5 password requirements? ›
- At least 12 characters (required for your Muhlenberg password)—the more characters, the better.
- A mixture of both uppercase and lowercase letters.
- A mixture of letters and numbers.
- Inclusion of at least one special character, e.g., ! @ # ? ]
Ideally, a good NIST 800-171 score is one that is as close to 110 as possible. Ultimately, you can think of your NIST score as a reflection of your compliance with NIST 800-171 and your current security posture.How often should passwords be changed NIST? ›
NIST suggests locking a user out of password-protected programs if they use an incorrect password multiple times; per Section 5.22 of Special Publication NIST 800-63b, which provides guidelines for “rate-limiting” on authentication attempts, the verifier (that's you) should allow no more than 100 attempts to input a ...Which of the following is NOT on the should do list from NIST password guidelines? ›
What you should not do: Enable password complexity requirements, i.e, requiring a password to have a certain number of uppercase character, lowercase character, special character, and digits. Enable password expiration. Use security questions that involve personal information of the user.
The NIST recommends resetting passwords only when necessary. Generally, organizations have a password expiration policy that allows passwords to be 60 to 90 days old at max. The NIST doesn't recommend password expiration due to the above mentioned reason.What are the three types of security controls NIST? ›
The management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for a system to protect the confidentiality, integrity, and availability of the system and its information.What is the NIST SP 800-53 Revision 5? ›
What is the NIST SP 800-53 Rev. 5 about? SP 800-53 Rev. 5 represents a multi-year effort to develop the next generation of security and privacy controls needed to strengthen and support the U.S. federal government.What are the NIST 800-53 Revision 4 security control attributes? ›
SP 800-53 Revision 4 has been updated to reflect the evolving technology and threat space. Example areas include issues particular to mobile and cloud computing; insider threats; applications security; supply chain risks; advanced persistent threat; and trustworthiness, assurance, and resilience of information systems.What are the 4 NIST implementation tiers? ›
- Tier 1: Partial.
- Tier 2: Risk Informed.
- Tier 3: Repeatable.
- Tier 4: Adaptive.
The NIST management framework is a culmination of multiple special publications (SP) produced by the National Institute for Standards and Technology (NIST) - as we'll see below, the NIST RMF 6 Step Process; Step 1: Categorize/ Identify, Step 2: Select, Step 3: Implement, Step 4: Assess, Step 5: Authorize and Step 6: ...What are the NIST steps? ›
It is broken down into five steps: Identify, Protect, Detect, Respond, and Monitor. It also has some basic practices you and your employees can take immediately to protect your data and information.What is the 8 4 rule for passwords? ›
This is often called the “8 4 Rule” (Eight Four Rule): 8 = 8 characters minimum length. 4 = 1 lower case + 1 upper case + 1 number + 1 special character.What are your 7 best tips for creating a strong password? ›
- Create Strong Passwords. ...
- Avoid Passwords Containing Info Easily Found Online. ...
- Use a Unique Password for Every Website or App. ...
- Avoid Linked Accounts. ...
- Use Multi-Factor Authentication. ...
- Beware Where You Enter Your Password. ...
- Take Note When a Data Breach Occurs.
And once you finally select a password, its strength needs to observe these parameters: Length of the password – preferably over 12 characters. Complexity of the password – must contain letters (upper and lower case), numbers, and symbols and have a minimum number of each. Contain no repetitive characters.
The ISO 27001 offers a good certification choice for organizations that have operational maturity while the NIST CSF may be best suited for organizations that are in the initial stages of developing a cybersecurity risk program or attempting to mitigate breaches.Is NIST better than ISO 27001? ›
This leads to a key difference in the level of risk maturity each framework seeks to address. NIST is considered best for organizations that are in the early stages of developing a risk management plan. ISO 27001, comparatively, is better for operationally mature organizations.What is NIST 800-39 used for? ›
The purpose of Special Publication 800-39 is to provide guidance for an integrated, organization-wide program for managing information security risk to organizational operations (i.e., mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation resulting from the ...What were 3 of the 5 most popular passwords? ›
- 10 tips for stronger passwords. ...
- Never use the same password for multiple accounts. ...
- Don't use personally identifiable terms. ...
- Avoid using common words or phrases. ...
- Use different types of characters. ...
- Make it long. ...
- Consider spelling things wrong. ...
- Utilize multi-factor authentication.
The main difference between the two is that NIST 800-171 relates to non-federal systems and organizations, while NIST 800-53 is for federal organizations.How do I become NIST 800-171 compliant? ›
- Locate and Identify CUI. ...
- Categorize CUI. ...
- Implement Required Controls. ...
- Train Your Employees. ...
- Monitor Your Data. ...
- Assess Your Systems and Processes.
Make your password long. 12-14 characters are recommended. Use a mix of characters like capitalization, symbols and numbers. Use a different password for every account.What is the best practice for password policy? ›
Best practices for password policy
Configure a minimum password length. Enforce password history policy with at least 10 previous passwords remembered. Set a minimum password age of 3 days. Enable the setting that requires passwords to meet complexity requirements.
- Security. Start with Security. ...
- Identify. ...
- Protect. ...
- Detect. ...
- Respond. ...
- Step1: Prioritize and Scope. ...
- Step 2: Orient. ...
- Step 3: Create a Current Profile. ...
- Step 4: Conduct a Risk Assessment. ...
- Step 5: Create a Target Profile. ...
- Step 6: Determine, Analyze and Prioritize Gaps. ...
- Step 7: Implement Action Plan.
An Introduction to the Components of the Framework
The Cybersecurity Framework consists of three main components: the Core, Implementation Tiers, and Profiles. The Framework Core provides a set of desired cybersecurity activities and outcomes using common language that is easy to understand.
DON'T do the following:
DON'T make obvious choices like your nickname, birthdate, spouse name, pet name, make/model of car, or favorite expression. DON'T share your password with anyone. DON'T use blank spaces in your password.
NIST is the National Institute of Standards and Technology at the U.S. Department of Commerce. The NIST Cybersecurity Framework helps businesses of all sizes better understand, manage, and reduce their cybersecurity risk and protect their networks and data. The Framework is voluntary.How many days can a password be used before it must be changed? ›
Most tech professionals recommend your password changes every thirty, sixty, or ninety days; depending on what the password is used for, how often the account is accessed, and how strong the password is to begin with.What are the 4 P's in security? ›
In general, Information Security professionals suggest that protecting sensitive data requires a combination of people, processes, polices, and technologies.What is NIST Checklist? ›
The National Checklist Program (NCP), defined by the NIST SP 800-70, is the U.S. government repository of publicly available security checklists (or benchmarks) that provide detailed low level guidance on setting the security configuration of operating systems and applications.What is the most current version of NIST 800-53? ›
January 25, 2022. NIST has released Special Publication (SP) 800-53A Revision 5, Assessing Security and Privacy Controls in Information Systems and Organizations.What is a good NIST score? ›
You score a NIST 800-171 Basic Assessment on a 110-point scale. Each of the 110 security practices in NIST 800-171 is assigned a “weighted subtractor” value. If you implement a practice, you get a certain amount of points, with a 110 as a perfect score.What is the purpose of NIST 800 37? ›
The purpose of SP 800-37 Rev 1 is to provide guidelines for applying the Risk Management Framework to federal information systems to include conducting the activities of security categorization, security control selection and implementation, security control assessment, information system authorization, and security ...
The difference between the two versions is considerable. Rev 5 adds more than 45 new base controls, 150 new control extensions and about 100 new parameters to existing controls. This does not include newly withdrawn controls that have been consolidated or re-arranged, of which there are about 75.What is the NIST SP 800-171 and who needs to follow it? ›
The NIST SP 800-171 framework establishes specific areas of cybersecurity controls that contractors and partners need to implement to a minimum standard. If you, your company, or any other company you do business with has a federal contract then you're required to be NIST SP 800-171 compliant.What is the best recommendation for password storage? ›
- Best Overall: LastPass.
- Best for Extra Security Features: Dashlane.
- Best Multi-Device Platform: LogMeOnce.
- Best Free Option: Bitwarden.
- Best for New Users: RememBear.
- Best for Families: 1Password.
- Best Enterprise-Level Manager: Keeper.
- Never use personal information such as your name, birthday, user name, or email address. ...
- Use a longer password. ...
- Don't use the same password for each account. ...
- Try to include numbers, symbols, and both uppercase and lowercase letters.
A minimum length of 8 to 12 characters long, with long passphrases being even better. Password complexity that means it contains at least three different character sets (e.g., uppercase characters, lowercase characters, numbers, or symbols) Password rotation – Passwords must be changed every 90 days or less.What are the recommendations for creating a password policy? ›
- Configure a minimum password length.
- Enforce password history policy with at least 10 previous passwords remembered.
- Set a minimum password age of 3 days.
- Enable the setting that requires passwords to meet complexity requirements. ...
- Reset local admin passwords every 180 days.
A strong password is: At least 12 characters long but 14 or more is better. A combination of uppercase letters, lowercase letters, numbers, and symbols. Not a word that can be found in a dictionary or the name of a person, character, product, or organization.Which is strong password storage strategy? ›
Strong passwords are usually more than eight (maybe even 12) characters, contain upper and lowercase characters, and use different numbers and symbols. If you think you'll have trouble remembering your password, there are a couple of mental models that can help, like using the first characters of a memorable phrase.What is the safest password length? ›
When a password is properly generated, 11–15 characters will provide more than enough protection for the everyday user. However, we know that most people feel more comfortable and secure with a longer version.What is the 4 general rules to creating a strong password? ›
- At least 12 characters (required for your Muhlenberg password)—the more characters, the better.
- A mixture of both uppercase and lowercase letters.
- A mixture of letters and numbers.
- Inclusion of at least one special character, e.g., ! @ # ? ]
Considerations on password length and complexity are key in the quest for the ideal password. Complexity is often seen as an important aspect of a secure password. A random combination of alphanumerical characters and symbols intuitively seems as the best defense against cracking.What are the top 3 most common passwords? ›
- Create long, complex, and unique passwords. ...
- Sentences or phrases are better than single words. ...
- Don't include personal information in your passwords. ...
- Use two-factor authentication to render stolen passwords useless. ...
- Encrypt stored passwords.
- Contain a mix of uppercase and lowercase letters, punctuation, numbers, and symbols.
- Contain at least 15 characters.
- Be unique from other accounts owned by the user.
- Never include dictionary words.
- Never include patterns of characters.
Password policies fail to solve the wider problems of user authentication. Even in the unlikely event that a policy is strong, up-to-date, and adhered to by all members of staff, password policies ultimately fail to solve the inherent weaknesses of credentials as an authentication mechanism.