NIST Password Guidelines 2021: Challenging Traditional Password Management

In 2017, the National Institute of Standards and Technology (NIST) released NIST Special Publication 800–63B Digital Identity Guidelines to help organizations properly comprehend and address risk as it relates to password management on the part of end users. Nearly every year since, NIST has undertaken to update or underscore these guidelines as security experts continue to glean more insights into the true effectiveness of passwords resulting from the analysis of breach corpuses and applying insights into how humans tend to approach the formation of secrets.

Resistance to Still Relevant Requirements

As human beings, habits, perceptions, and established ways of thinking tend to be very difficult to break. One advantage of the information age is that access to exponentially growing datasets around passwords has provided true and verifiably reliable insights into what constitutes effective password management.

  1. Offering best practices around minimum password length and password policies
  2. Recommending strategies for automation of NIST Password Requirements for 2021

2021 Updates and Changes To Password Guidelines

For 2021, NIST hasn’t officially released updates to their password guidelines as they have in past years. That’s why it’s important to put recommendations and best practices together which organizations and security leaders can use for guidance for 2021.

2021 NIST Password Recommendations

The following are Top 3 NIST Password Recommendations for 2021:

NIST 2021 Recommendation 1: Remove Periodic Password Change Requirements

One of the past approaches that has been the hardest for organizations to lay aside has been past policies around password expiration intended to drive frequent password changes. The thinking has been that frequent changes reduced risk of compromise based on sheer probability of compromise over time.

NIST 2021 Recommendation 2: Require Length But Remove Password Complexity

Another approach to password management widely perceived to address risk and force better security around password management has been to increase and force requirements around complexity. Examples being requiring mixed casing and use of symbols and digits.

  • Predictable patterns of formulation to minimally meet requirements
  • “Complex” passwords saved in an insecure manner, to compensate for memory
  • Tendency to use the same “complex” password across multiple accounts
  • An increase in costs borne by the organization to support more frequent password resets due to forgotten passwords

NIST 2021 Recommendation 3: Implement Screening of New Passwords

Finally, one of the best guidelines set forth by NIST and unfortunately one of the most ignored is screening around password resets against commonly used, expected or compromised passwords:

  • Repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’).
  • Context-specific words, such as the name of the service, the username, and derivatives thereof.

NIST 2021 Best Practices

In addition to the password recommendations given above, here are some best practices around passwords end users and organizations should consider for 2021:

Minimum Password Length

Best practice around password lengths is actually rather difficult to offer in terms of providing a single static number. This is attributable to sometimes greatly varying capabilities around platforms, especially of a legacy nature.

  1. Create passwords between 15 to 20 characters utilizing self-imposed password complexity when passwords are human derived.
  2. Create passwords of no less than 20 characters when a password manager is being leveraged.

Password Policies & Password Policy Management

Organizational password policies are where the rubber meets the road, so to speak, around NIST guidelines. What are the best practices around password policies in light of the NIST guidelines and the recommendations for 2021 mentioned here?

  1. Relax settings around complexity. As recommended above, once the default password policy has been accepted, retrofit as necessary the recommendations around complexity. That is, remove complexity requirements in the policy.
  2. Remove password expirations. Again, as recommended above, remove password expirations. If password expirations cannot be removed, then set expirations out as far as possible to at least one year.
  3. Review password length. Review the password length and make sure reasonable lengths are being required as per the best practices set forth above.

Use A Password Manager

Perhaps no guidance around passwords can top recommended best practices that end users adopt and leverage a good password/secrets manager in lieu of deriving passwords themselves. Guidance and advice abound on “How to create a secure password” that is human derived. And yet, for all the advice and clever guidance, humans fail miserably at creating good, lengthy, complex, secure passwords.

  1. Set the policy in your password manager to generate complex passwords using letters of varying case, numbers, and symbols where allowed.
  2. Set the policy in your password manager to generate passwords of length 20 or greater.
  3. Passwords of length greater than 64 characters are generally not required nor recommended as extremely large passwords can impact the time it takes to properly hash these passwords.

Automating NIST Password Requirements

For automation of NIST Password Requirements the following approaches are recommended:

  1. Adopt and install a secured, centralized, cloud accessible IAM/IGA password policy and password reset engine that is capable of managing and resetting passwords in a massive heterogeneous, mixed on-premise, and cloud or multi-cloud environment.
  2. Leverage and integrate with a commercial compromised credentials solutions provider to safely and securely:
  3. Actively detect and reject compromised credentials at the time of new password creation.
  4. Passively scan all password repositories for compromised credentials and implement corrective action (typically forced password resets) until all compromised credentials have been eliminated via intelligent new password creates as per (a) above.3

Tying It All Together

The initial release of NIST Special Publication 800–63B, Digital Identity Guidelines in 2017 surprised many organizations. Organizations have remained reluctant to implement these changes as the recommended guidelines were a surprising reversal of long-standing, universally accepted approaches to password management.

About The Authors

Stan Bounev

Stan Bounev is the founder and CEO of VeriClouds. He is on a mission for solving identity fraud. Stan has over 20 years of product management experience in technology and financial services organizations solving a multitude of problems in identity and cybersecurity.

Chris Olive

Chris Olive is a seasoned and passionate cybersecurity strategist, evangelist, consultant, trusted advisor, and hands-on technologist with over two decades of cybersecurity consulting experience in the US/UK governments, the Fortune 500, and large international companies all over the world. Chris has primary expertise in Identity Access Management and Identity Governance & Administration along with professional experience and expertise in Ethic Hacking & Penetration Testing, Secure Development, and Data Security & Encryption. Chris is a frequent writer, speaker, and evangelist on a wide range of cybersecurity topics.

References

  1. NIST Special Publication 800–63: Digital Identity Guidelines, Frequently Asked Questions
  2. How Long Should My Passwords Be?
  3. Why Leverage A Commercial Compromised Credentials Solution?