NIST Update: Passphrases In, Complex Passwords Out
In June, the National Institute of Science and Technology (NIST) released new standards for password security in the final version of Special Publication 600-83. Specifically, NIST refers to new password security guidelines in the document SP 800-63B: Authentication & Lifecycle Management (PDF). Federal agencies and contractors use NIST’s standards as guidelines on how to secure digital identities.
The Old Normal
Back in 2003, over a decade ago, a NIST manager named Bill Burr wrote up a document that advised users on password complexity - including the use of special characters, numerals and capitalization. This guide was used by federal agencies, universities and large companies as the standard for password security best practices.
But in a recent interview with The Wall Street Journal, Bill, now retired, revealed that he regrets much of what he did. His guidelines included changing passwords every 90 days, which often resulted in users minimally editing old passwords that left them easy to guess.
These seemingly complex passwords are also easy for hackers and algorithms to crack, and are no longer considered best practice - due, in part, to negative impacts on usability.
Trending Toward Usability, Passphrases
New NIST guidelines recommend using long passphrases instead of seemingly complex passwords. A passphrase is a “memorized secret” consisting of a sequence of words or other text used to authenticate their identity. It’s longer than a password for added security.
NIST is also concerned with lightening the “memory burden” on users, and recommends encouraging users to create unique passphrases they can remember, using whatever characters they want. To help improve user experience and ease the memory burden, NIST also recommends supporting the copy and paste functionality in password fields.
Other don’ts include don’t require users to create a mixture of different character types for their passwords, and don’t arbitrarily require users to change their passwords unless there’s been a password breach.
Additionally, NIST requires allowing up to 64 characters in password form fields, and a minimum of at least eight characters. NIST also advises against storing “hints” or “subscribers” (i.e., what’s the name of your pet?), which can be accessed by unauthorized users.
NIST provides further guidance on securely storing passwords, requiring them to be salted and hashed using a one-way key derivation function. The salt should be at least 32 bits and chosen arbitrarily. Plus, NIST recommends using an additional hash with a salt stored separately from the hashed password to prevent brute-force attacks.
Stronger Authentication With Two Factor (2FA)
Relying solely on the security strength of passwords and passphrases isn’t enough to protect against brute-force, phishing and other attempts to bypass authentication.
A second factor of authentication can help secure access to your users’ accounts. Use the most secure methods, such as Duo Push (sending push notifications to a second device, like a smartphone for users to approve) or U2F (stands for Universal 2nd Factor - a USB device plugged into a laptop that users can tap to approve).
Learn more about two-factor authentication in the Two-Factor Authentication Evaluation Guide and the characteristics of a modern 2FA solution.