NIST Updated Standards for a Secure Password

secure password

Your internet account passwords are probably among the most guarded pieces of information you retain in your brain. With everything that has recently migrated to the digital realm, a secure password functions as the deadbolt to your private data.. Hackers understand how valuable this personal data is, and so Account Takeover Attacks—where malicious actors gain unauthorized access to your accounts—remain the most common cyber-attack vector.

Internet users’ passwords are frequently exposed in bulk via password combo lists, which are sets of credentials harvested from data breaches, and this has taught us the importance of using a unique password for every service we sign up for. This prevents a hacker from using your email address and one of your known (exposed) passwords—say, for website A—and checking to see if it successfully logs in to website B, C, D, etc., until they find that it works on website E.

With that said, even if all of your passwords are unique, if they are often not complex enough or of adequate length, hackers can often succeed in guessing your current passwords by using permutations of your previously exposed passwords, known information about you, or even checking against a list of commonly used passwords.

How Do We Know What Constitutes A Secure Password?

The National Institute of Standards and Technology (NIST) is an organization that helps us with this. NIST researchers create drafts for things like password requirements, publish them for a community of experts to submit their comments, and compile a published standard. Therefore, whenever you’re asked to create or reset a password and are given a set of requirements the password must meet, these are based on standards most likely set forth by NIST. It’s important for any organization that manages users’ passwords to stay up to date with NIST requirements for passwords.

One example of an existing NIST password standard is checking for exposed passwords against previous data breaches. For several years now, NIST publication 800-63B has included the need to check with previously exposed passwords in data breaches. “When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly used, expected, or compromised. For example, the list MAY include, but is not limited to, passwords obtained from previous breach corpuses.” This helps ensure that users are no making their accounts more vulnerable by using a known-exposed password.

NIST recently published a new draft standard for passwords, adding new recommendations to make passwords even stronger; below are the suggested changes and why they’re important:

  1. Require passwords to be a minimum of 8 characters, with a recommended minimum length of 15 characters.
    1. Why this is important: The longer your password is, the harder it is to guess your password. Even when trying to guess your password via brute force, long passwords require significant computing time, even for advanced computers, to guess correctly.
  2. Allow passwords to be up to 64 characters long.
    1. Why this is important: Again, longer passwords are more secure. Allowing users up to 64 characters creates even more secure passwords.
  3. Accept all printing ASCII [RFC20] characters and the space character in passwords.
    1. ASCII characters represent the rudimentary western characters used in typing—there are 95 printing characters in the ASCII set.
    1. Why this is important: Allowing all printing ASCII characters is like having more colors to paint with. Consider being asked to create a 4-digit password using only numerals. We know there are only 10,000 possible combinations since there are only 10 numerals, zero through nine, and a series of four of them means we have a possible 10 raised to the 4th power combinations. Now, consider a 4-character password that allowed all 95 ASCII printing characters; that’s 95 raised to the power of 4, or 81,450,625 possible combinations. That creates a much more secure password because it is exponentially more difficult to guess.
  4. Accept Unicode [ISO/ISC 10646] characters in passwords, with each Unicode point counting as a single character towards password length.
    1. Unicode is an international standard for written characters and emojis, covering 168 modern and historical scripts and symbol sets, encompassing a total of 155,063 total characters.
    1. Why this is important: This expands on the benefit of allowing all ASCII characters, but with exponentially larger results. If we repeat our thought experiment of creating a 4-character password, but each character can be one of 155,063 possibilities, we wind up with 578,139,610,000,000,000,000 possible combinations—and that’s with a 4-character password, which is only half the minimum required password length.
  5. Stop requiring arbitrary password complexity, like forcing the use of special characters or a mixture of numbers, letters, and symbols.
    1. Why this is important: It may seem counterintuitive, but research shows that this is a beneficial change. The option to use special characters is excellent for those who want an additional layer of security; however, longer passwords are more effective than short and complex passwords and are typically easier to remember too.
    1. This XKCD comic does a great job of explaining this concept: https://xkcd.com/936/
  6. Stop requiring periodic password resets on specified intervals unless there is evidence of password compromise.
    1. Why this is important: Have you ever logged in to your computer at work, only to be forced to change your password because 90 days had elapsed since you had last changed your password? This can be extraordinarily frustrating, as you may have a perfectly good password that you can actually remember, but now are forced to change it. In theory, this may sound like a good idea, but when you apply human behavior to the mix, you’re more likely to compel the user to create a weaker password. Consider that you know you’ll be required to change your password every so often—it’s only natural to select a password that fits into a sequence or follows a pattern, because of course that’s easier to remember. But a sequence of passwords that follow a pattern aren’t much more secure than the first password in the sequence.

But should there be an indication of a problem—it’s not a bad idea to compel password changes. For example, if your password is found exposed on the dark web, this is an excellent time to change it. Or if your organization suffers a security incident where it’s believed users’ passwords may have been compromised, this is a great time to change your password. But absent any evidence of such problems, it may be best to let users keep their passwords the same.

  • Stop allowing users to save password hints.
    • Why this is important: Password hints can be helpful to both the account owner and a hacker trying to gain access to the account. Getting rid of password hints makes it that much more difficult to get into your account.
  • Stop requiring users to answer security questions to reset forgotten passwords.
    • Using security questions (i.e., What was your favorite teacher’s name?) to authenticate the user’s identity presents another weak point—as a hacker may be able to guess your answers to security questions. In the event of a forgotten password, it’s best to verify the user’s identity through other methods before allowing them to reset their password.
  • Verify the entire password, not a truncated/substring of the password.
    • Why this is important: This guideline is for what NIST calls “verifiers,” or the entity that verifies you’ve entered the correct password (i.e., the site you’re logging in to). Unfortunately, it is somewhat commonplace to truncate the entered password, usually due to technical limitations. For example, if an app is only designed to store eight-character passwords, but allows users to create longer passwords, it might only consider the first eight characters of the password when authenticating the user. Clearly, this undermines password minimum length, and therefore NIST recommends that the entire password is considered.

Even with these modernized guidelines for optimal password security, the unfortunate reality remains that passwords are exposed on the dark web by malware known as info stealers, and hackers work to find ways to guess and crack passwords. This is where Constella Intelligence comes in—with the largest data lake of exposed passwords and PII; you can leverage Constella’s data to determine if you or your users have a compromised password or any vulnerabilities hackers can exploit to gain unauthorized access to your accounts. Contact us today for a demo.