Passwords, Passphrases, or “I’ll Pass” on NIST’s Digital Identity Guidelines
Passwords, or memorized secrets, are defined as “something you know," [1] but people often encounter the same aggravating problem when asked to fill in their password: “ugh, I don’t know my password.”
In this blog we shall explore the burden of password management as it relates to users and those seeking to authenticate a user’s digital identity and then we shall go on to take a close look at NIST’s updated Digital Identity Guidelines which proposes, among other suggestions, that passphrases replace passwords.
[1] NIST SP 800-63B, Section 5.1.1. https://doi.org/10.6028/NIST.SP.800-63b
The number of passwords that people need to remember to access their accounts and devices is difficult to pinpoint, but LastPass published findings that people using their password management service manage an average of 191 passwords. In 2017, Pearman et al. used data capture software to examine how people use passwords in their real lives over a 150 day period. They found that people used passwords across an average of 26 domains, with a median domain-to-password ratio of 2.39. This study also showed that people not only reuse exact passwords, they also partially reuse passwords (e.g., Password123, Pass123!) as approximately 40% of the participants reused, or partially reused, 80-90% of their passwords.
Overall, security issues associated with passwords continue to be challenging, as users continue to create and reuse easily exploited, easy to guess passwords to alleviate the burden of memorizing so many different secrets.
In June 2017, NIST’s updated Digital Identity Guidelines (NIST SP 800-60-3) introduced significant changes to past recommendations. The driving force behind these changes was user-focused, as user experience often dictates whether people will follow the rules or whether they will create workarounds that negatively impact security. Consider how often your users may have added an exclamation mark and a number 1 when generating their new password to avoid seeing a warning message advising of inadequate password complexity. The changes also reflect a shift of responsibility away from individual users and onto the companies and systems that verify identities. However, these changes also highlight the need to set realistic expectations for password-only security, such that many accounts, domains, and devices should require two-factor or multi-factor authentication.
NIST’s Digital Identity Guidelines – A Summary of Changes
Table 1 provides a high-level summary of the changes as based on NIST consultant Jim Fenton’s BSidesLV 2016 presentation:
|
Description |
Rationale |
|
Removal of requirements regarding password composition is recommended. This includes composition criteria such as, “must include upper case and lowercase letters, 2 digits, and at least one special character such as $, #, and &.” |
Password composition rules create user experience challenges and do not provide as much value as intended. Users create workarounds (e.g., adding “1!” to the end of simple passwords). |
|
Removal of password hints and knowledge-based authentication (e.g., what was the make of your first vehicle?) is required. |
Knowledge of personal details associated with password hints or prompts may be accessible to someone other than the password owner, which greatly weaken authentication efforts. This speaks to the popularity of social media and the willingness to “over share”. |
|
Removal of routine or time-based password expiration is recommended. |
Password expiration often results in users creating simple passwords, or reuse of passwords, due to time pressures or a priority to just carry on working. Password changes should be prompted by evidence of a compromised account through tools such as User Entity and Behavorial Analytics (UEBA). |
|
Addition of an 8-character minimum requirement for user-generated passwords, and 64 character maximum (no truncation). |
Improves upon previous 6-character minimum, especially for online attacks. Maximum length creates the opportunity for users to create passphrases instead of passwords. Passphrases may be more memorable than passwords that have composition requirements. |
|
Addion of a requirement to compare user passwords to a commonly-used password dictionary to block the use of compromised or weak passwords. |
Use of a dictionary will encourage users to create stronger, and more unique passwords. Creating dictionaries through use of resources like Burnett’s 2015 list of compromised passwords, can be a useful strategy – however, dictionaries that are poorly designed may be too small (ineffective), or too big (create similar issues as extensive composition rules). |
|
Addition of a recommendation to allow all printable and Unicode characters as well as spaces. |
Use of all printable ASCII characters expands the character set and alleviates site-specific issues associated with constraining special characters; Allowing spaces makes passphrases more natural to type. |
|
Addition of a recommendation to to display a password rather than obscure the password with dots or asterisks. Displayed passwords should be hidden after a predetermined time period. |
The ability to see a password while typing it helps accuracy, which improves user experience. This is especially advantageous when considering use of longer passphrases. |
|
No Change to throttling rules, maintain limit of failed authentication attempts to 100 per 30-day period per account. Use of CAPTCHAs, delays, or IP whitelists are approved. |
Placing too much emphasis on throttling based on source IP address is unlikely to improve security, as attackers can typically attempt brute force across a broad IP range. |
As you have read many of the guidelines have the goal of making passphrases easier to support by the companies and systems tasked with verifying identity. This moves the user away from managing complex passwords such as “S4xop!h0ne” and onto passphrases such as “saxophonemarketdinnertree” or indeed a combination of the two.
Top Tips for better digital identity management
- Has your organisation considered NIST’s guidelines? If not, why not raise it up for discussion?
- Continually review evolving best practice guidelines to determine their applicability to you, your data and your users (your employees, your contractors and your customers).
- Adopting NIST’s guidelines should not be seen as a silver bullet. Those interacting with the credentials and authentication systems are humans after all and will likely make mistakes or violate rules using workarounds. Similarly attackers will continue to seek access to memorized secrets whether a password, passphrase or PIN etc.
- Not all passwords/passphrases should be treated equally. Some are more important than others; such as your laptop’s password, your cell phone’s screen lock PIN/pattern/password or the credentials to access your password manager account. Secure your most important data or *access* to that data with the most appropriate level of security.
- Whether you adopt passwords or passphrases it would be wise to consider complimenting your login credentials with at least two-factor authentication to add “something you have” to “something you know”.
Conclusion
The topics covered above have and will continue to spark debate and opinion. Not everyone will agree with all of the recommendations. Not everyone will adjust their processes and technology to accommodate, and your people (your customers and your employees) may struggle to adopt and follow best practice in the short-term and all the time.
Organisations should be aware that users may seek the path of least resistance creating passphrases one character in length greater than the required minimum or reverting to poor practice of storing passphrases in a clear text file to aid recall in lieu of suitable password management technology being made available to help them.
Understanding the behaviour of your users, and what might motivate people to adopt best practices in respect to password/passphrase use and monitoring the behaviour of user credentials once authenticated will go a large way towards balancing the realistic with the ideal when it comes to implementing digital identity guidelines.
We shall explore further in future blogs.
