NIST Password Guidance Draft seems sane

NIST has released a draft of new security guidance including passwords (SP 800-63-4). It is summarized well by arsTechnica.

Historically security guidance has required that people do things like change their passwords every three months and select passwords that contain lower case letters, upper case letters, numbers, and symbols. These policies existed under the theory that if the password kept changing then even if an attacker got hold if it, they would be locked out again within three months. And if people picked passwords with four types of characters, the password would have more variability.

Usability research since then has shown that such policies put the burden on users. The cost of creating and memorizing passwords takes time ane effort, if users have to do it regularly, they will find ways to optimize the process by picking easier passwords to remember or memorizing password creation patterns. Also longer passwords, even if they are made up of English words, are both easier to remember and quite secure. Hence correctbatteryhorsestaple is theoretically quite secure despite being made up of only lower case letters and English words.

It is generally a better idea to instead forbid common passwords that often occur in password guessing dictionaries (i.e. password123!) as doing so makes guessing challenging for attackers. Since the problem is rarely that not enough types of characters are used and more often that some passwords are unexpectedly common (i.e. monkey1) giving attackers an easy set of passwords to guess from.

There are also now more technical solutions that are available to system administrators to combat password theft themselves without burdening users. Examples include: temporarily locking users out after too many failed password attempts, monitoring for odd login events, and providing two-factor authentication options for uses.

Updated Guidance

The proposed updated NIST guidance takes the usability of password creatoin and maintence for users into account. It now forbids the use of periodic resets where users are required to change their password every few months. It also forbids the use of required sets of characters, so say all lower case character passwords should be allowed. It requires that all passwords be a minimum of 8 characters and recommends that passwords be checked against known lists of common passwords at time of creation. It is also required that if the password is on a known password list, the user should be told that, not just that the password is not secure enough.