NIST Password Guidelines 2021: Challenging Traditional Password Management
In 2017, the National Institute of Standards and Technology (NIST) released NIST Special Publication 800–63B Digital Identity Guidelines to help organizations properly comprehend and address risk as it relates to password management on the part of end users. Nearly every year since, NIST has undertaken to update or underscore these guidelines as security experts continue to glean more insights into the true effectiveness of passwords resulting from the analysis of breach corpuses and applying insights into how humans tend to approach the formation of secrets.
Resistance to Still Relevant Requirements
As human beings, habits, perceptions, and established ways of thinking tend to be very difficult to break. One advantage of the information age is that access to exponentially growing datasets around passwords has provided true and verifiably reliable insights into what constitutes effective password management.
Initial guidelines released by NIST around password management surprised many organizations. In response, many organizations, in some disbelief, have remained resistant to actually accepting and adopting these changes. It cannot be over emphasized, again based on analysis of raw data and expert analysis, that insisting on past approaches and methodologies around password management actually exposes organizations to increased risk of compromise and infiltration.
If your organization remains resistant, this article is intended to help organizational leaders rethink and adopt all NIST password guidelines by:
- Submitting a Top 3 NIST Password Recommendations for 2021
- Offering best practices around minimum password length and password policies
- Recommending strategies for automation of NIST Password Requirements for 2021
2021 Updates and Changes To Password Guidelines
For 2021, NIST hasn’t officially released updates to their password guidelines as they have in past years. That’s why it’s important to put recommendations and best practices together which organizations and security leaders can use for guidance for 2021.
2021 NIST Password Recommendations
The following are Top 3 NIST Password Recommendations for 2021:
NIST 2021 Recommendation 1: Remove Periodic Password Change Requirements
One of the past approaches that has been the hardest for organizations to lay aside has been past policies around password expiration intended to drive frequent password changes. The thinking has been that frequent changes reduced risk of compromise based on sheer probability of compromise over time.
But analysis of typical end user behaviors has led to a much different conclusion. One of the primary conclusions being that forced password changes merely results in forcing past bad behaviors around password management to occur more often without really addressing risk in any significant way. Individuals simply construct another bad, easily guessed password that is easily cracked or create their own transformations which are easily reconstructed by criminals. For example, adding a digit to the end of the password and merely iterating that digit each time a password expiration takes place.
Forcing frequency also generates more data around how human derived passwords are created, feeding better predictability. Criminals now have the ability to leverage predictive analytics and artificial intelligence in such a way that aggregated password intelligence over a confirmed identity profile can lead to greater accuracy in predicting likely new passwords especially in cases where incentive exists to target an individual (such as a C-level executive, a government official, or a celebrity, etc.)
The bottom line is that the authors of NIST have rightly ascertained that frequent password changes have little actual effect on lowering the risk profile of neither individuals nor organizations. Organizations should therefore resolve in 2021 to dispense with frequent password changes unless some evidence of compromise exists.
NIST 2021 Recommendation 2: Require Length But Remove Password Complexity
Another approach to password management widely perceived to address risk and force better security around password management has been to increase and force requirements around complexity. Examples being requiring mixed casing and use of symbols and digits.
When considering possible combinations of letters, numbers, and symbols available to compose a secret, this approach seems reasonable. But yet again, analysis of breach corpuses as well as analyzation of human behavior demonstrates that given high complexity requirements, those requirements will simply be addressed in a very predictable way in order to minimally satisfy such requirements. The number of possible character combinations theoretically remain across the length of a secrets formulation, but the probability that forced characters will be randomly distributed throughout the length on a human derived secret remain very low.
Mathematically speaking, the single most effective variable in actually addressing the strength of secrets is length. Complexity over a very short password is insignificant and, amazingly, enforcing complexity over a longer password does almost nothing to improve the strength of the secret where human derived secrets typically follow a predictable pattern.
Instead, complexity simply feeds into user frustration and predictable patterns driven by the complexity requirements imposed tend to easily emerge. In cases where at least one uppercase character is required, in a very high number of cases, that character will be the first character for a human derived password. If symbols or numbers are required, those will tend to be appended to the end of a password merely to satisfy the requirement.
The downstream effect of the “forced complexity” misconception and approach often results in:
- More forgotten passwords, since character complexity is difficult to remember
- Predictable patterns of formulation to minimally meet requirements
- “Complex” passwords saved in an insecure manner, to compensate for memory
- Tendency to use the same “complex” password across multiple accounts
- An increase in costs borne by the organization to support more frequent password resets due to forgotten passwords
All of these pitfalls are driven almost solely by complexity requirements that, in the end, are difficult to remember and end up not really enhancing the strength of secrets formulation at all. According to NIST, and rightly so, the single most important factor in ensuring strong secrets formulation is length and requiring nothing else.
NIST 2021 Recommendation 3: Implement Screening of New Passwords
Finally, one of the best guidelines set forth by NIST and unfortunately one of the most ignored is screening around password resets against commonly used, expected or compromised passwords:
When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised. For example, the list MAY include, but is not limited to:
Passwords obtained from previous breach corpuses.
- Dictionary words.
- Repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’).
- Context-specific words, such as the name of the service, the username, and derivatives thereof.
NIST Special Publication 800–63B, Section 5.1.12, Memorized Secret Verifiers
While NIST only recommends leveraging commonly used, expected, or compromised credentials as possible standalone options, our recommendation for this category includes using all of these options in tandem to produce the most robust and comprehensive approach in mitigation of risks associated with password management.
In fact, eliminating the use of dictionary words, repetitive/sequential characters and context-specific words have been a part of most password policies for decades and for good reason. These are sound practices that should remain in place.
What many organizations have failed to implement, and which now constitutes quite possibly the most important choice in terms of password change intelligence augmentation is comparing password resets to known compromised credentials, which still are known to be highly effective in gaining access to corporate assets.
In addition to the screening of new passwords, and in light of the guideline to remove periodic password change requirements (e.g., passwords no longer expiring), organizations also would be strongly encouraged to passively scan existing repositories of passwords for weak, commonly used, and compromised passwords as well, until such time as an in-place new password screening policy would have affected every password in the organization.
NIST 2021 Best Practices
In addition to the password recommendations given above, here are some best practices around passwords end users and organizations should consider for 2021:
Minimum Password Length
Best practice around password lengths is actually rather difficult to offer in terms of providing a single static number. This is attributable to sometimes greatly varying capabilities around platforms, especially of a legacy nature.
For starters, according to NIST Special Publication 800–63B, Section 18.104.22.168, Memorized Secret Verifiers, a base minimum password length is given as 8 characters. Most systems will accept 8 characters as a minimum password length, including most legacy mainframe solutions (which in some cases may also equate to the maximum characters allowed as well).
The next scenario to address for best practices around password lengths has to do with derivation. If the password for some reason needs to be human derived, then at some point longer lengths defeat the purpose, as the longer the length, the greater the likelihood that the password will be forgotten. For human derived passwords — which overall, is not recommended here as best practice (see Use A Password Manager below) — lengths between 15 and 20 should be used, if possible. Some consideration can be made for the value of the data that sits behind the protection — such as access to a Web-based card making application where no Personal Information (PI) is being stored (either in the user profile or in the cards/data created), allowing for a password of less than 15 characters.
But for the most part, where possible, as a general best practice, when considering password lengths, end users should strive to:
- Create passwords no less than 8 characters on platforms that have restrictions around lengths, especially maximum lengths, such as legacy platforms.
- Create passwords between 15 to 20 characters utilizing self-imposed password complexity when passwords are human derived.
- Create passwords of no less than 20 characters when a password manager is being leveraged.
In the end, it’s our strong belief due to many known human limitations, that any advice provided around “How to create a secure (human derived) password” is hopelessly inadequate and bad guidance, however well-meaning or carefully thought out and constructed. Historically speaking, mountains of evidence, expert analysis, and datasets derived from breach corpuses demonstrate that for all the so-called “expert advice” given over the years around this, humans simply aren’t good at deriving passwords and never will be. So why do “experts” still insist on providing this kind of guidance in the face of such consistent, obvious failure in outcome?
Read on to Use A Password Manager for more information as to why human derived passwords should completely be eliminated to the extent possible and password managers used as a best practice.
Password Policies & Password Policy Management
Organizational password policies are where the rubber meets the road, so to speak, around NIST guidelines. What are the best practices around password policies in light of the NIST guidelines and the recommendations for 2021 mentioned here?
- Generally speaking, accept the default policy for your platform. Again, as mentioned, most of the policies for most platforms have been finely tuned over a number of years and contain good, safe, protective settings. Default Windows password policies, in particular, can and should be safely accepted.
- Relax settings around complexity. As recommended above, once the default password policy has been accepted, retrofit as necessary the recommendations around complexity. That is, remove complexity requirements in the policy.
- Remove password expirations. Again, as recommended above, remove password expirations. If password expirations cannot be removed, then set expirations out as far as possible to at least one year.
- Review password length. Review the password length and make sure reasonable lengths are being required as per the best practices set forth above.
Finally, where possible, with so many varied systems to manage, it can greatly enhance the manageability, scale, accuracy, and agility of an organization to manage all the password policies for all platforms in the organization from a central IAM/IGA platform dedicated to mass password policy management across heterogeneous platforms.
Use A Password Manager
Perhaps no guidance around passwords can top recommended best practices that end users adopt and leverage a good password/secrets manager in lieu of deriving passwords themselves. Guidance and advice abound on “How to create a secure password” that is human derived. And yet, for all the advice and clever guidance, humans fail miserably at creating good, lengthy, complex, secure passwords.
The need to create good, lengthy, complex, secure passwords literally screams “a machine should do this” and indeed, this is realistically the only reasonable approach.
For the best practice of using a password manager, it’s highly recommended to:
- Leverage a leading password manager to generate and securely store good, lengthy, complex, secure passwords. That is, the password manager itself must provide good security.
- Set the policy in your password manager to generate complex passwords using letters of varying case, numbers, and symbols where allowed.
- Set the policy in your password manager to generate passwords of length 20 or greater.
- Passwords of length greater than 64 characters are generally not required nor recommended as extremely large passwords can impact the time it takes to properly hash these passwords.
Automating NIST Password Requirements
For automation of NIST Password Requirements the following approaches are recommended:
- For password policies, follow the recommended best practices in this guide for setting password policies. Password policy engines, both default, and custom will take care of automation around the creation of proper passwords with refreshed policies around NIST guidance in place.
- Adopt and install a secured, centralized, cloud accessible IAM/IGA password policy and password reset engine that is capable of managing and resetting passwords in a massive heterogeneous, mixed on-premise, and cloud or multi-cloud environment.
- Leverage and integrate with a commercial compromised credentials solutions provider to safely and securely:
- Actively detect and reject compromised credentials at the time of new password creation.
- Passively scan all password repositories for compromised credentials and implement corrective action (typically forced password resets) until all compromised credentials have been eliminated via intelligent new password creates as per (a) above.3
Tying It All Together
The initial release of NIST Special Publication 800–63B, Digital Identity Guidelines in 2017 surprised many organizations. Organizations have remained reluctant to implement these changes as the recommended guidelines were a surprising reversal of long-standing, universally accepted approaches to password management.
For 2021, in lieu of the fact NIST has not yet released any updates to these recommendations, this article presents a Top 3 NIST Password Recommendations, Best Practices, and succinct guide to Automating NIST Password Requirements to help guide organizations and incentivize senior cybersecurity leaders to implement, refresh, or update their approaches to password creation, password management, and password security to better secure their organizational environments.
About The Authors
Stan Bounev is the founder and CEO of VeriClouds. He is on a mission for solving identity fraud. Stan has over 20 years of product management experience in technology and financial services organizations solving a multitude of problems in identity and cybersecurity.
VeriClouds is a cybersecurity and data company that provides user context services to secure systems’ access and minimize account takeover attacks.
Chris Olive is a seasoned and passionate cybersecurity strategist, evangelist, consultant, trusted advisor, and hands-on technologist with over two decades of cybersecurity consulting experience in the US/UK governments, the Fortune 500, and large international companies all over the world. Chris has primary expertise in Identity Access Management and Identity Governance & Administration along with professional experience and expertise in Ethic Hacking & Penetration Testing, Secure Development, and Data Security & Encryption. Chris is a frequent writer, speaker, and evangelist on a wide range of cybersecurity topics.