The National Institute of Standards and Technology of the United States (NIST) sets new guidelines and policies for passwords used by the US government (public sector).
It's no secret. Most internet users use bad passwords.
With so many websites and online applications that require the creation of accounts, the need to create new passwords has become almost a daily phenomenon.
At the same time, the computational power that is now available for breaking codes is getting bigger.
So the National Institute of Standards and Technology of the United States (NIST) has finally decided to develop new guidelines for creating passwords.
I say at last and I think it is important because new standards and new policies will help companies, organizations and agencies to secure more their users and to eliminate obsolete practices that no longer seem to work.
Or to put it differently there are only to make our life more difficult.
Anyone interested in the draft of the forthcoming specifications referred to as Special Publication 800-63-3: Digital Authentication Guidelines can watch it as it evolves into Github or in a more accessible form in by clicking here of NIST.
Let's see a little what's new coming:
What are the major differences between the current "secure passwords" policy and what NIST now recommends?
Some of the recommendations you can probably guess, others may surprise you.
What you should do.
User privilege. First, make user-friendly password policies and give weight to the verifier whenever possible.
In other words, we should stop asking users to do things that do not improve security.
A lot of research has been done on the effectiveness of "best practices" and it turns out that they do not help enough to be worth the effort they need.
The size matters when it comes to passwords. New NIST instructions indicate that you need at least 8 characters. (Not the minimum limit, you can increase the size for the most sensitive accounts.)
NIST states that a maximum length of at least 64 characters should be allowed, so there will no longer be "Sorry, your password cannot be longer than 16 characters."
Apps should allow all printable ASCII characters, including spaces, and accept all UNICODE characters, including emoji!
This should allow the use of all common punctuation characters of each language to improve usability and increase variety.
Check out the new passwords from a known-bad choice dictionary (about companies). You do not want to let your service users use ChangeMe, or the user's own name, and so on.
Things you should not do.
There are no composition rules. This means there will be no other rules forcing users to use specific characters or combinations.
So we will stop seeing the unpleasant message:
"Your password should contain a lowercase letter, a uppercase letter, a number, four symbols but not &% # @ _, and the last name of at least one astronaut."
Let people choose freely and encourage to use whole phrases instead of tricky passwords or false complexity such as pA55w + rd.
There will be no tips for passwords. None. If I want some people to be more likely to guess my password, I will write it on a card and stick it on my screen.
Knowledge Based Authentication (KBA) will no longer exist. Knowledge-based authentication (KBA) is when a website states: “Choose from a list of questions - Where did you go to high school? What is your favorite football team? and give us the answer in case we need to check that it is you. ”
My favorite change:
There will no longer be any password expiration. If we want users to comply and choose big and difficult passwords, we should not require them to change passwords unnecessarily, just because they spent the quarter or the semester.
The only passwords that should be changed are those that are forgotten, or if you think (or know) that the base of company password data has been stolen.
NIST: some very useful tips
All passwords must be encrypted, salted and stretched (or hashed, salted and stretched) to be securely stored.
It recommends that companies use a salt of 32 bits or greater, a keyed HMAC hash that uses SHA-1, SHA-2 or SHA-3, and a stretching PBKDF2 algorithm with at least 10.000 reps.
What else is going away?
Password enthusiasts will most likely wonder:
"What about bcrypt and scrypt?"
NIST writes:
"We will recommend PBKDF2 here because it is based on hashing archetypes that meet many national and international standards."
Additionally, another big change makes SMS disallowed: SMS should no longer be used in two-factor authentication factors (2FA).
There are many problems regarding its security deliveryof SMS, including malware that can redirect text messages.
It has more:
Mobile phone attacks (such as the so-called SS7 hack), portability of the mobile phone number, phone ports, known SIM changes where the mobile operator issues a new SIM card to replace a lost card, suffered damage, or has been stolen.
What's next?
We mentioned some of the most important ones we read in the upcoming changes. Password policies will continue to evolve something that is necessary, especially when there are dictionaries with billions of codes that can be used for brute force attacks.
The goal of NIST is to protect the public reliably without unnecessary complexity, because the complexity works against security.
Her future coming quantum computing it will probably completely eliminate the use of passwords.
The above changes are necessary and should have been in place since yesterday, as there are computers with huge processing power, something that did not exist when NIST set the first standards for "secure passwords."
