The National Institute of Standards and Technology of the United States (NIST) sets new guidelines and policies for passwords used by the US government (public sector).
It's no secret. Most internet users use bad passwords.
With so many websites and online applications that require creating accounts, the need to create new passwords has become almost a day-to-day phenomenon.
At the same time, the computational power that is now available for breaking codes is getting bigger.
So the National Institute of Standards and Technology of the United States (NIST) has finally decided to develop new guidelines for creating passwords.
I say at last and I think it is important because new standards and new policies will help companies, organizations and agencies to secure more their users and to eliminate obsolete practices that no longer seem to work.
Or to put it differently there are only to make our life more difficult.
Anyone interested in the draft of the forthcoming specifications referred to as Special Publication 800-63-3: Digital Authentication Guidelines can watch it as it evolves into Github or in a more accessible form in by clicking here of NIST.
Let's see a little what's new coming:
What are the major differences between the current "secure passwords" policy and what NIST now recommends?
Some of the recommendations you can probably guess, others may surprise you.
What you should do.
User privilege. First, make user-friendly password policies and give weight to the verifier whenever possible.
In other words, we should stop asking users to do things that do not improve security.
A lot of research has been done on the effectiveness of "best practices" and it turns out that they do not help enough to be worth the effort they need.
The size matters when it comes to passwords. New NIST instructions indicate that you need at least 8 characters. (Not the minimum limit, you can increase the size for the most sensitive accounts.)
NIST states that a maximum length of at least 64 characters should be allowed, so no more “Sorry, the codeYour name cannot be longer than 16 characters.”
Apps should allow all printable ASCII characters, including spaces, and accept all UNICODE characters, including emoji!
So it should be allowed to use all the usual punctuation characters of each languages to improve usability and increase variety.
Check out the new passwords from a known-bad choice dictionary (about companies). You do not want to let your service users use ChangeMe, or the user's own name, and so on.
Things you should not do.
There are no composition rules. This means there will be no other rules forcing users to use specific characters or combinations.
So we will stop seeing the unpleasant message:
"Your password should contain a lowercase letter, a uppercase letter, a number, four symbols but not &% # @ _, and the last name of at least one astronaut."
Leave them people to choose freely and encourage them to use whole phrases instead of difficult passwords or with false complexity like pA55w + rd.
There will be no tips for passwords. None. If I want some people to be more likely to guess my password, I will write it on a card and stick it on my screen.
Ο control knowledge-based identity (KBA) will no longer exist. Knowledge-based authentication (KBA) is when a website says: “Choose from a list of questions – Where did you go to high school? What is your favorite football team? and give us the answer in case we need to check it's you.”
My favorite change:
There will no longer be any password expiration. If we want users to comply and choose big and difficult passwords, we should not require them to change passwords unnecessarily, just because they spent the quarter or the semester.
The only passwords that should change are forgotten, or if you think (or know) that the company's password database has been stolen.
NIST: some very useful tips
All passwords must be encrypted, salted and stretched (or hashed, salted and stretched) to be securely stored.
It also recommends that companies use a salt of 32 bits or greater, a keyed HMAC hash that uses SHA-1, SHA-2 or SHA-3, and a "stretching" PBKDF2 algorithm with at least 10.000 iterations.
What else is going away?
Password enthusiasts will most likely wonder:
"What about bcrypt and scrypt?"
NIST writes:
"We will recommend PBKDF2 here because it is based on hashing archetypes that meet many national and international standards."
In addition, another major change makes SMS unacceptable: SMS will no longer be used in two-factor identity checks (2FA).
There are many problems with the security of SMS delivery, including malicious software that can redirect text messages.
It has more:
Mobile phone attacks (such as the so-called SS7 hack), portability of the mobile phone number, phone ports, known SIM changes where the mobile operator issues a new SIM card to replace a lost card, suffered damage, or has been stolen.
What's next?
We mentioned some of the most important ones we read in the upcoming changes. Password policies will continue to evolve something that is necessary, especially when there are dictionaries with billions of codes that can be used for brute force attacks.
The goal of NIST is to protect the public reliably without unnecessary complexity, because the complexity works against security.
Her future coming quantum computing it will probably completely eliminate the use of passwords.
The above changes are necessary and should have been in place since yesterday, as there are computers with huge processing power, something that did not exist when NIST set the first standards for "secure passwords."
