Hackernoon logoThe Gist of NIST: Password Recommendations to Remember by@enzoic

The Gist of NIST: Password Recommendations to Remember

Enzoic Hacker Noon profile picture


A cyber-security company that helps organizations automatically detect the use of compromised credentials.

Many IT professionals will already be familiar with the National Institute of Standards and Technology (NIST), the non-regulatory federal agency within the U.S. Department of Commerce. Its reputation extends beyond its stated mission--to promote innovation and industrial competitiveness through measurement science, standards, and technology-- and NIST also ends up being a source for security advancement and recommendations for new policies. NIST develops both Federal Information Processing Standards (FIPS) as well as guidance documents through its Special Publications (SP) 800-series.

For the government and private companies alike, NIST guidelines often become the foundation for best cybersecurity practices. As many system administrators have found, NIST is excellent at providing tips about what practices to leave behind. Though they don't always provide solutions, there is data-driven research and conclusions that indicate the best directions in which to head.

As we kick-off 2021, we can reflect back on highlights from the NIST publications and how they impact cybersecurity conversations. Among these are standards that address common employee behavior and place more responsibility on organizations' internal password security policies.

Previous NIST recommendations related to passwords have changed in many categories. The highlights include:

1. Eliminating the Requirement for Characters Used in Passwords

It was previously thought that users should make passwords using a combination of characters like upper and lowercase letters, numeric digits, and special characters like punctuation led to impermeable passwords. Research has, in fact, shown the opposite to be true. Forcing lots of symbolic variation made passwords harder to remember, and instead increased root password reuse, which exacerbated the problem. In short, such requirements mean that users often just add a capital or special character to predictable places in a previously used password, which hackers are then able to guess just as easily. Now, NIST recommends eliminating the requirement for character variation.

2. Allowing Copy/Pasting Passwords

Copying and pasting passwords into a login form used to be seen as an easy way for hackers to steal data and credentials because they were saved to the clipboard function. NIST determined the risk outweighed the benefits.

In reality, having the ability to copy/paste complex, unique passwords into the field encourages the use of password manager applications. These allow users to store their strong passwords, including ones generated randomly that are particularly difficult to remember, and then paste them into the field when appropriate.

3. Getting Rid of Periodic Password Resets

It was a commonly held belief until recently that asking users to change their passwords on an arbitrary but regular basis, like every three months, would help eradicate weak passwords. However, the data showed that users a) just make small predictable changes to passwords instead of creating unique ones, and b) have a difficult time remembering constantly changing passwords. The issues with user memory and frequent resets can also lead to more IT help desk requests, which take up time and money.

Periodic password resets also don't make logical sense considering how data breaches work. A user's credentials could be stolen at any time. Perhaps they fall victim to a phishing attack months before a reset is mandated, and the threat actor has plenty of time to compromise the system to maintain access without a single user's credentials.

Instead, there needs to be a system that alerts users to the fact that their credentials have been compromised as soon as possible, in addition to triggering other mitigation actions like account lockouts and threat scanning.

4. Screening Passwords Against Blacklists

This recommendation makes a great deal of sense in light of the other suggested changes to password policy. NIST guidelines state that organizations should be screening passwords against lists of commonly used or compromised passwords. Through screening at the point of password creation, users can avoid selecting exposed passwords that will introduce new security risks. Additionally, organizations should constantly monitor existing passwords for exposure, since a password that is safe today can be compromised tomorrow.

NIST explains that the blacklist should include both commonly used passwords (like 'password1!) and compromised passwords, such as credentials that have already been leaked. Ideally, the blacklist should also be kept up to date.

These guidelines, especially regarding the last point, may require a change in mindset, especially from the corporate perspective. The NIST standards reveal that previous approaches only led to simple formulas to determine if a password was 'safe.'

Depending on the state of cybersecurity at a given organization, the new requirements might involve writing new password policies, utilizing password managers, and keeping an up-to-date blacklist.

What Now?

As we welcome the new year, the online corporate world can move forward in a productive and secure way by adhering to the NIST password guidelines above. However, while NIST is a valuable source of recommendations for companies and IT professionals alike, they do not provide implementation recommendations. This means that some companies are left not knowing where to turn, or how to achieve their security goals - including the objective of complying with NIST standards themselves.

Many businesses opt to work with companies that specialize in helping them achieve NIST guidelines, develop and maintain a superior password to screen against, and adapt password policies within Microsoft Active Directory.

By adapting quickly, and building up new defensive strategies, your company can avoid Account Takeovers, breaches, and the loss of time and money involved in trying to recover data.

Enzoic Hacker Noon profile picture
by Enzoic @enzoic. A cyber-security company that helps organizations automatically detect the use of compromised credentials.Get Started


Join Hacker Noon

Create your free account to unlock your custom reading experience.