What The Hell Is a "Memorized Secret"? Go Ask NIST

One cold Winter’s night in the middle of nowhere, a car window is broken, and the laptop sitting on the seat in plain sight is stolen. Sadly, the laptop belongs to a high-level corporate employee who works with intellectual property and sensitive customer information. From the viewpoint of a security team, it’s a situation to cause concern.

For a corporation, passwords give the network team time to mount a defense, and prevent a data breach inside the network. The more password levels a hacker needs to defeat, the more time a network team has to stop them. Policies enforcing password change deadlines, and the use of strong passwords, have been viewed for decades as critical cybersecurity defense tools.

However, many employees see the requirement to change even their operating system password every 45 to 90 days as a major hassle. So is dealing with the policy that forces them to add a number, an uppercase letter, and a special character to the password. When a company enforces basic password change requirements, it’s because they’re following long-standing cybersecurity best practices.

But a new question has arisen recently; can frequent password changes forced on employees actually be detrimental to corporate cybersecurity defense?

The answer is YES, according to new guidelines published by the National Institute of Standards and Technology (NIST).

NIST Special Publication 800-63B, “Digital Identity Guidelines; Authentication and Lifecycle Management”, grabbed my attention, because the first time I read it, I was completely caught off-guard. These new guidelines from NIST appear to kick to the curb many of the best practices burned into my head during my career.

Surprisingly enough, even the guy who helped write the original 2003 NIST guidelines felt it was time to change them. In a 2017 Wall Street Interview, Bill Burr (the engineer, not the comedian) had this to say about password security; “It just drives people bananas, and they don’t pick good passwords no matter what you do.”

Mr. Burr was sure right on that score. For decades, ridiculously weak passwords had been the rule, not the exception.?Before companies had automated password restrictions in place, many employees used "12344321" or “qwerty” as their password.

NIST agreed with Burr, and has taken a common-sense approach to encourage more user-friendly password policy measures, instead of its previously rigid requirements.

In the NIST “Authentication and Lifecycle Management” document, Sections 5 and 10 are especially worth looking at.

In those sections, the term “memorized secrets” now takes the place of “password”. I don’t know who came up with the weird term “memorized secrets”; why couldn’t they just call it a "passphrase"?

I prefer to think of the replacement as a memorized sentence, like “Rome is Beautiful 2022" or "I Love to Travel with Susan!”.?In essence, that’s exactly what they are; unique sentences that hold a special meaning only for their creator.

Users are given a much wider range of choices to work with when they secure an account. They can enter numbers, upper and lower-case letters, as well as spaces and any special characters or punctuation they want, just as they would in a sentence. No punctuation usage or characters are restricted. Nice!

To break down the changes into plain, understandable English, I analyzed the NIST specifications, and then paraphrased them in my own words. I’ve listed these changes in descending order, starting with the ones I felt were the most radical.

Admittedly, that’s a subjective choice, based on the cybersecurity fundamentals I’ve learned throughout my career. But since I could care less what anyone thinks when it comes to nitpicking the small stuff, here goes!

Past Best Practice 1: Users are forced to make password changes in time intervals determined by the institution, such as 30, 45, 60, or 90 days.

Recent Thought Process: Forcing users to arbitrarily change difficult passwords on certain dates is a burden for the user, and in response, they create less secure passwords.

New NIST Recommendation: Instead of passwords, users can create phrases that'll be known from now on as “Memorized Secrets”. Users will be allowed to change a memorized secret when they want to, with no set date, although memorized secrets must be changed immediately in cases where a security breach is suspected.

Past Best Practice 2: After a person has typed in an incorrect password, a security question is provided on the screen to help jar their memory.

Recent Thought Process: Posing a security question after a user fails to log in successfully, such as “What is your mother’s maiden name?” or “What city were you born in?” has proven to be highly ineffective. This information is easily discovered through Internet searches, and has actually assisted hackers.

New NIST Recommendation: No security questions are to be provided when a login failed after an incorrect memorized secret was entered.

Past Best Practice 3: Passwords must be a mix of uppercase and lowercase letters, as well as contain at least one number, and one special character.

Recent Thought Process: As it makes remembering them more difficult, users shouldn't be forced to include a mix of letters, numbers, and special characters in their memorized secrets.

New NIST Recommendation: Users are encouraged to mix in any characters they like, and spaces as well, to create their memorized secrets. This results in a sentence structure that’s much more effective as a security defense than a standard password.

Past Best Practice 4: The password length must be between 8 and 16 characters long, with an 8-character minimum length, and a 16-character maximum length.

Recent Thought Process: The memorized secret should remain at the minimum 8-character length, but the former 16-character maximum length was too restrictive. The effectiveness of a memory secret would be enhanced if it was extended to 64 characters.

New NIST Recommendation: combined with the guideline allowing users the ability to mix in any characters they want, extending the maximum length to 64 characters promotes the utilization of memorized secrets that are more like sentences, instead of passwords. Memorized secrets are easier for a person to remember as they can use common punctuation, like spaces and periods, while at the same time making them far more complex than a password. Adding 48 more variables when the maximum length jumps from 16 to 64 characters exponentially increases the difficulty a hacker faces when they use password-cracking applications. In fact, password-cracking apps with a 16-character limit will become obsolete.

Past Best Practice 5: If an incorrect password is entered 5 times, the user account is locked out, and the amount of attempts they have left is never displayed.

Recent Thought Process: Don't limit the amount of incorrect memorized secret entry attempts to a low number, and display how many attempts are left before the user account is locked out.?

New NIST Recommendation: Allow at least 10 entry attempts of the memorized secret, and let the user see how many attempts they have left. This may sound illogical, but allowing more attempts encourages a person to create complex memorized secrets, thereby enhancing security, while at the same time reducing user anxiety.

Past Best Practice 6: Password characters are very briefly displayed on the screen as they’re typed in, and immediately replaced by an asterisk.

Recent Thought Process: A person is allowed to view one character at a time as they type in memorized secrets.

New NIST Recommendation: As a person enters memorized secrets, they'll see the character they've just typed in, but the character before it will become hidden. This allows them to know where they're at, which reduces the amount of failed entry attempts and limits their frustration. I’ve recently seen this recommendation increasingly utilized by large entities like my bank, and my cell phone provider.

Past Best Practice 7: Passwords cannot be composed of blacklisted text strings like "12344321", or simple dictionary words, such as “password”.

New thought process: It ain't broke, so don't fix it.

New NIST Recommendation: No change, says NIST. This means if a person wants to make their memorized secrets using blacklisted text strings, or simple dictionary words, they still won't be able to do it. Instead, they'll need to create new compliant ones.

Don't freak out, but NIST also gave more technical direction on password security by stating that memorized secrets must be hashed, salted, and stretched.?I’ll discuss hashing and salting in a future article, but for now, it’s time for breakfast!