Password complexity changes as recommended by NIST
NIST SP 800-63B Special Publication - 2017
- lowercase letters
- uppercase letters
- special characters (@, !, $, etc.)
NIST SP 800-63B-3 Special Publication - 2020
The new NIST guidelines that you include these elements in your new password policy:
- Enable “Show Password While Typing”
- Allow Password “Paste-In”
- Use Breached Password Protection
- Don’t Use “Password Hints”
- Limit Password Attempts
- Use Multi-Factor Authentication (MFA)
- SMS may not meet OOB (out-of-band authenticators) requirements
- Greater Length over Complexity
- No more periodic resets
- Secure Databases
- Hash Users’ Passwords
These core guidelines are worth looking at in more detail.
- Password reset mechanisms are inherently insecure; everyone knows how easy they are to bypass, even when there is no reason to be suspicious of the user.
- Password reset mechanisms inflict excess load on IT support staff, who must distribute and then destroy these password reset tokens.
- Password reset mechanisms do not help with security at all; they just shift the burden onto users.
- “something you know” (like a password)
- “something you have” (like a phone)
- “something you are” (like a fingerprint)
Passwords should be hashed with interim storage. In this case, a hash function is used on a password and stored in an encoded form. A Salt is used to make it more difficult for an attacker gain access to hashes through a brute-force attack. A salt is a fixed-length string of characters that is usually stored separately from the encrypted password. The string is appended to the password before being hashed and then combined with the resulting hash. Salts are created from random data, which reduces the risk of big data breaches if one occurs.
Bad Passwords a-Dressed
It turns out after lots of data analysis, we think we are being clever about how we construct our passwords designed to foil hackers but the results of the data show we are not. In 2003, Mr. Burr didn’t have the data to understand this. Today it is obvious to people like Lorrie Faith Cranor who has spent years studying terrible concoctions and putting 500 of the most common passwords on a blue shift dress. The garment had been infused with the most common passcodes–“princess,” “monkey,” “iloveyou” etc.—a few that are unprintable here. At the 2015 during Stanford’s White House cybersecurity summit the dress prompted careful study from those around her as well as some embarrassment.