Back in June 2017, NIST published the finalized version of NIST Special Publication 800-63 series covering digital identity. The publication NIST Special Publication 800-63B “Digital Identity Guidelines: Authentication and Lifecycle Management” describes many recommendations for authenticators, including many authentication methods such as memorized secrets (e.g., passwords or passphrases), multifactor authentication tokens and a few other authenticators. I recently revisited this document and want to share some of the recommendations for memorized secrets made by NIST that will help many organizations.
Passphrase and Password Best Practices
In one of the first sections, 5.1.1, NIST describes the recommended composition of memorized secrets, including the length and recommended number of characters. Some key entries include:
- Permit a minimum of eight characters and a maximum of no less than 64 characters, but an even higher maximum is better
- Allow for all available characters including special characters, spaces, unicode and emojis
- Do not truncate the secret
- Do not require mixed cases, different characters, etc.
The above recommendations encourage the use of longer passphrases, and not just the standard password that users are relying on. This recommendation is reinforced in section 10.2.1, which reads:
“Allow at least 64 characters in length to support the use of passphrases. Encourage users to make memorized secrets as lengthy as they want, using any characters they like (including spaces), thus aiding memorization.”
Passphrases can be harder to crack due to having a greater length, potentially providing greater entropy than a shorter password. However, length alone does not ensure the phrase is a good one. Some studies have pointed to passphrases being more effective, while others indicate they are less effective. Yet for end users, I believe there is a benefit to usability. In the next section, we cover some of the further recommendations to ensure the quality of the passphrase.
Ensuring the Quality of the Memorized Secret
A passphrase, just like a password, is not immune to poor quality and compromise. These issues may be mitigated by regular automated review and comparison against rule sets. NIST recommends regularly comparing memorized secrets against various lists to identify insecurity. Some provided examples include:
- Passwords obtained from previous breach corpuses — i.e., a database of known breached credentials
- Words from the dictionary
- Repetitive or sequential characters (e.g., “aaaaaa” or “1234abcd”)
- Context-specific words, such as the name of the service, the username and derivatives thereof
To summarize, just like passwords, passphrases require good policy and regular checking. This periodic review is especially essential paired with the next recommendation regarding password rotation.
The Controversy: No More Password Rotations?
One of the more controversial recommendations NIST makes is the following:
“Do not require that memorized secrets be changed arbitrarily (e.g. periodically) unless there is a user request or evidence of authenticator compromise.”
This recommendation provides a few benefits to the security of the passphrase. First, it limits password reuse by changing one number at the end (Password1, Password2, etc.). Second, it aids in memorization, with the user no longer having to remember the arbitrary value chosen for their new password. Finally, the regular automated checking against insecure secrets lists mentioned in the previous section reduces the burden on the users, forcing a change of the memorized secret only when it is needed. This set of recommendations is a benefit to the end user when making use of memorized secrets. However, more sensitive memorized secrets, such as domain admin and service account secrets, still should be regularly rotated.
The Tip of the Security Iceberg
For this blog, I focused on only a few specific sections 5.1.1, 10.2.1 and Appendix A from the 800-63B document covering memorized secrets. There are many more great recommendations I did not include along with other forms of authentication in this document. It’s good to remember that most end users type their password or passphrase over and over again into various business-critical systems. These recommendations enhance a crucial layer of security, making memorized secrets easier for end users to work with and still hard to crack for attackers.