Passwords: Getting the NIST of It
This is a guest post by Robert Capps, VP of business development at NuData Security
Is the age of using passwords dead? Passé, so to speak? The National Institute of Standards and Technology (NIST) has amended its password recommendations for Digital Identity guidelines. This codification of standards for government agencies, businesses and consumers includes a resource for password security. These new standards are commonsense updates to the widely deployed user authentication regime of usernames and passwords.
The new guidelines drop periodic password change requirements and the necessity that passwords include upper case letters, symbols and numbers, which is often counterproductive. These standards force consumers to reset their passwords on a continuing basis and result in the downgrade of password security rather than making it better. So for example, a user may keep the same word, but change a numeric value or punctuation mark.
Prior requirements corralled people into specific formulas for passwords that could be more easily guessed. Websites that require a limited amount of characters for passwords also limit the number of password combinations, making it easier for brute force attacks that try all variations until a legitimate password is found and used. Still, good passwords start with the people who use them.
Better consumer education is clearly needed. Symantec reports (PDF) that more than a third of US consumers who share passwords have shared their online banking account passwords, and 55% of people use the same password for everything. We also continue to warn consumers about social media dangers. Even with better password security, socially engineered scams are so sophisticated that even the most careful users can be fooled. LinkedIn encourages people to be careful of who they follow on social media. For example, many social media profiles are not actual people but bots designed to deceive and lure users to divulge personal data.
NIST recommends that government agencies and companies screen passwords against lists of dictionary passwords and known compromised passwords to increase the strength of those being used. Known passwords such as 12345 are just too easy and surprisingly overused; they have been compromised for years. Also, if users can think up a code – such as replacing the number 1 with and exclamation mark, or an “S” with the number 5 – hackers have also thought of it, and likely long before consumers did.
Putting out absolute standards for algorithms will make things more secure for consumers, as will merchants being required to salt and hash customers’ passwords. Website owners with these increased security measures, which result in decreased friction, experience increased traction and completed sales.
Organizations looking to change their architectures can look to the new NIST standards. Some of the procedures are already in practice, but some are new. New practices will not change things overnight; it could take six months or more for companies to adopt the new frameworks. I think we will see the first rollouts in the next 3-6 months.
I’m a big fan of password manager applications. They store your passwords and other secure information in the cloud. Because the login is performed locally, vendors can’t unlock the key and your data is secure. The application syncs with your login accounts and uses randomly generated, cryptic passwords that you don’t have to memorize.
That said, I am a strong proponent of using multi-layer frameworks that leverage users’ natural behaviors combined with behavior analytics and passive biometrics to give companies the optimum chance of verifying actual users. Hackers steal passwords and credentials to commit fraud or steal money. Passwords do little to stop that activity, but hackers are not able to replicate a user’s behavior.
Meanwhile, online industries are looking for ways to extend passwords until a better system is in place. The new NIST standards give government agencies, companies and consumers a playbook to refer to for best practices in creating and maintaining passwords.
DISCLAIMER: BiometricUpdate.com blogs are submitted content. The views expressed in this blog are that of the author, and don’t necessarily reflect the views of BiometricUpdate.com.