The National Institute of Standards and Technology (NIST) has issued new guidelines regarding secure passwords. Who is NIST? NIST is a non-regulatory federal agency whose purpose is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology, in ways that enhance economic security and improve our quality of life.
Do you have to follow these guidelines? No, you don’t. But they are generally considered a reasonable standard not only in the U.S., but also around the globe. Following these standards are likely to give you a fair bit of protection, should you ever be accused of not following good security practices.
Here is a bit more information regarding NIST guidelines. NIST develops Federal Information Processing Standards that all federal agencies must follow. These FIPS can be found here – Special Publications (SP) 800-series. Some Alvaka Networks clients—particularly those with defense department related contracts—are obligated to comply with NIST 800-171 Standards by December 31, 2017, or they risk losing their contracts. NIST 800-171 is specified by DFARS 252.204-7012, also known as Defense Federal Acquisition Regulations Supplement. These requirements protect what is considered Controlled Unclassified Information, outlined in the section titled Safeguarding Covered Defense Information and Cyber Incident Reporting. Several Alvaka Blogs covering the DFARS topic can be found HERE.
So, what is new and remarkable about these new password guidelines and how will they impact you and your users? The new framework is certainly controversial among many security professionals. Almost all security practitioners are going to find stuff they agree and disagree with in the guidelines. In summary NIST recommends:
- Remove periodic password change requirements
This is one that legions of corporate employees, forced to create a new password every month, will surely be happy about. There have been multiple studies that have shown the requirement of frequent password changes to be counterproductive to good password security; but the industry has doggedly held on to the practice. This will remain controversial for some time, I am sure.
- Drop the algorithmic complexity song and dance
No more arbitrary password complexity requirements, needing mixtures of upper case letters, symbols and numbers. Like frequent password changes, some claim these password policies can result in worse passwords.
- Here is a completely new one… require screening of new passwords against lists of commonly used or compromised passwords
One of the best ways to ratchet up the strength of your users’ passwords is to screen them against lists of dictionary passwords and known compromised passwords. There is even a new product from a company called PasswordPing that will do that for you. They claim to be coming out with an enhancement in the future that will also check for credentials to see if they are listed as having been compromised in other breaches. We have not yet tested the product so this is in no way an endorsement, but it is worth looking into if secure passwords are important to you.
Here are a few more links to articles on password security.