NIST Updates Digital Identity Guidelines and Tweaks Password Advice
The National Institute of Standards and Technology (NIST) has updated its Digital Identity Guidelines (NIST Special Publication 800-63B), which includes revisions to its advice on the creation and storage of passwords.
Digital authentication helps to ensure only authorized individuals can gain access to resources and sensitive data. NIST says, “authentication provides reasonable risk-based assurances that the subject accessing the service today is the same as the one who accessed the service previously.”
The Digital Identity Guidelines include a number of recommendations that can be adopted to improve the digital authentication of subjects to systems over a network. The guidelines are not specific to the healthcare industry, although the recommendations can be adopted by healthcare organizations to improve password security.
To improve the authentication process and make it harder for hackers to defeat the authentication process, NIST recommends the use of multi-factor authentication. For example, the use of a password along with a cryptographic authenticator.
NIST suggests physical security mechanisms should be adopted to prevent the theft of cryptographic authenticators, while system security controls should be implemented to prevent malicious actors from gaining access to systems and installing malware such as keyloggers.
Security is only as good as the users of the system, so periodic training is required to ensure users understand their obligations and the importance of reporting suspected account compromises.
Out-of-band techniques (something you have) are also recommended to verify proof of possession of registered devices such as cell phones.
Passwords are categorized as ‘memorized secrets’ by NIST, which suggests a minimum of 8 characters should be used, although longer memorized secrets of at least 64 characters should be encouraged. UNICODE characters, special characters and spaces should be allowed.
The use of spaces does not add to password complexity, although it does help end users set strong passwords such as secret phrases. The longer the memorized secret, the harder it will be for malicious actors to guess.
Brute force attacks are used to gain access to systems by repeatedly guessing passwords. These automated attacks can involve many thousands of guesses, and start with commonly used passwords, dictionary words, repetitive and consecutive sequences of characters (aaaaaaaa, 12341234, 1234abcd), context specific words (server1, MRIpassword), and other weak passwords such as the use of the username in the password and passwords previously exposed in past data breaches.
Administrators should therefore set password policies that prevent these password choices. In the case of dictionary words, all words less than the minimum character requirement can be discounted. NIST says the use of password strength monitors helps end users select strong passwords.
While the forced use of special characters, lower case letters, and upper case letters can improve password strength, in reality, this may not be the case. Forcing users to use at least one lower case letter, one uppercase letter, one number and one special character may not result in the creation of stronger passwords.
NIST says, “Analyses of breached password databases reveal that the benefit of such rules is not nearly as significant as initially thought,” but “the impact on usability and memorability is severe.” Such a system means the password will be made much more difficult to remember and end users end up circumventing policies as a result. For example, with those controls in place, Password1! would be acceptable, even though the password is weak.
NIST says “Highly complex memorized secrets introduce a new potential vulnerability: they are less likely to be memorable, and it is more likely that they will be written down or stored electronically in an unsafe manner.”
By allowing the use of spaces in passwords, users can choose more complex secrets, especially if the upper character limit is not overly restrictive. NIST recommends allowing long passwords (within reason). (See Appendix A – Strength of Memorized Secrets).
NIST also points out that there are other methods that can be adopted that provide greater protection than strong passwords. “Blacklists, secure hashed storage, and rate limiting are more effective at preventing modern brute-force attacks.”
NIST also points out that while these measures – and strong passwords – can help to thwart brute force attacks, they are not effective against many forms of password-related attacks. Even if a 100-character strong password is used, it will still be obtained by a malicious actor who has installed keylogging malware or if an employee responds to a social engineering or phishing attack. Other security controls must therefore be implemented to prevent these sorts of attacks.