NIST finds 'issues' with 2003 password advice

Sam Ingrey's Cat By Samuel Ingrey, Cyber Forensic Specialist, PA Digital Trust | 14 August 2017

Memorized Secret Authenticator, or passwords to you and I, have been a bug bear of the user since they became complex, at least in part because of a National Institute for Standards and Technology (NIST) publication dating from 2003. However, in June 2017, NIST U-Turn3d! so to speak with their guidance in Special Publication 800-63B.

The 2003 NIST advice has been used around the world and I’m pretty sure that even tribes in the Amazon (rainforest not retailer) have been influenced by their words; e.g:

  • 8 Characters minimum
  • UPPERCASE, lowercase letters
  • Numbers
  • Special Characters
  • Change Passwords every 90 days

NIST has now openly admitted that there are "issues" with what they said back then. You may have personal experience of these yourself?   

  • Complicated #P@55w0rd$! are difficult to remember
  • Other securities can be imposed to limit the opportunity to brute-force (break) the password
    • Such as: Account lockout or entry rate limiting after a number of unsuccessful attempts
  • It is far easier to “hack” into someone’s account if you obtain their password from them
    • I.e. Key logging, phishing, social engineering, looking over their shoulder etc
  • As the difficulty of remembering the password goes up so does the likelihood of the user writing the password down, choosing an easy to remember password that meets the criteria like Password1! or storing it in an unsafe place.
  • People are predictable with their password choices
    • For example an 8 character password consisting of a capital first letter of a word in the dictionary followed by a number and then a special character = Bananas1!
  • The harder the requirements the simpler the user makes the password, for example, changing their password every month, this month is Bananas1!, next month is Bananas2!

So what is NIST's latest (2017) advice on passwords?

  • Make longer passwords, perhaps made up of 4 or 5 random words
    • pandalaptopstaplemouse
  • Create easy to remember passwords, less special character rubbish

They also state that more effort should be made by the service receiving the password to mitigate attempts to brute force or steal them. For example:

  • Use two single-factor authenticators or multifactor authentication
    • Two single factor uses a password and a “something you have” i.e. a code sent via text to your mobile phone
    • Multifactor is explained as “a cryptographically-secure device with an integrated biometric sensor that is required to activate the device”
  • Before a password is accepted, it should be checked against a blacklist of bad or common passwords.
  • Password creation should allow long passwords and special characters including “space” characters so phrases can be used
  • Passwords should never be stored in plain text but rather jumbled up “salted” / “hashed”
  • Limits should be used to restrict multiple incorrect guesses of passwords
  • More guidance should be issued to users when creating passwords
    • Or even create the password for the user, which can then be shorter than a user password as it is more secure.

What about the UK Government's advice from the NCSC? 

Interestingly, the UK’s National Cyber Security Centre (NCSC) has published its own advice aimed at simplifying the subject of passwords, summarised in their handy infographic reproduced below: 

NCSC Password Infographic 2017

[Source: ​]

What does SP 800-63B mean for us now?

Probably not much at the moment, I can’t imagine many organisations telling all their customers to change their passwords overnight. However, let’s hope that I’m being pessimistic and that, as a result of NIST's considered advice, the internet becomes a more secure place for all that data - like the petabytes of cat photos (the flimsy reason for my cat appearing in the image accompanying this article). Right now though, some people are so concerned about the password problem that they are opting for different authentication methods altogether, such as biometrics; voice, fingerprints, retinas etc so maybe the use of Memorized Secret Authenticators are now on their 1@5t_L3g5!

Password policies, - in line with rapidly growing security threats to the internet, - are a changin'!

#   #   #

Ready to start scoping your project? Need expert help now?

For further information or to request a quote for a social engineering ​assessment or any of our cyber security services, email our cyber security experts today or call +44 (0)1763 285 510

To develop your own technical security capability, read about our range of expert-led ethical hacking ​​training courses.

"NIST has now openly admitted that there are "issues" with what they said back then. You may have personal experience of these yourself?"


« Back