NIST’s New Password Guidance
Passwords have proven themselves an inadequate method of authentication many times. It’s not necessarily that the concept is flawed: passwords can be secure if the system around them is implemented properly. But a combination of users’ inability to properly choose and manage passwords and developers’ failure to implement secure systems often leads to security breaches.
It’s not just ordinary users that make poor choices in this regard: system administrators and public cloud users have been known to disregard password best practices, putting their users’ data at risk.
NIST's has released a new guideline for user authentication that challenges some practices commonly accepted as “the right way to do things”.
Hints and Knowledge-Based Authentication
Password hints are a bad idea. There’s no real advantage to allowing the user to enter a password hint as a reminder. The same effect can be achieved by a password reset without giving a bad actor the opportunity to work out the password. Knowledge-based authentication is also dangerous: it’s not hard for bad actors to discover a user’s mother’s maiden name or where they went to high school.
Both strategies are intended to reduce the burden on a company’s customer support, but they expose users to unnecessary risk.
Check Against Existing Password Dictionaries
This one is common sense, but almost never done. Hackers know which passwords people are most likely to choose. When hacking a user account they use dictionaries of common passwords as a starting point. Rejecting passwords identical to the most common passwords found in leaked password databases would go a long way to making users more secure.
Users will find this frustrating, but occasionally it’s necessary to put security above convenience.
Don’t Force Password Expiry
Many companies force users to choose a new password after a predetermined period. Intuitively, this is an appealing measure, but in practice it does little to improve security.
Frequent password expiry often leads to users simply adding an incrementing number to the end of their password or choosing simple passwords so they don’t have to frequently commit a new complex password to memory.
Password Composition
This is probably the most common practice NIST argues against. Many services advise users to choose passwords with a specified minimum of capital letters, numerical characters, and special characters like punctuation.
In theory, this makes users choose passwords that are harder to guess. In practice, they choose passwords that meet the minimum requirements. NIST wants password advice to focus on password length, rather than composition.