What Happened

The National Institute of Standards and Technology (NIST) has updated its Digital Identity Guidelines, specifically focusing on password policies. Released in October 2023, the updated guidelines aim to enhance password security practices for federal agencies and, by extension, organizations following NIST’s framework. The revision was spurred by continuous data breaches where compromised passwords have played a significant role, emphasizing the need for stronger password practices.

NIST's new guidelines recommend eliminating the mandatory password complexity requirements traditionally emphasized, such as including symbols and numbers, which often lead to predictable and easily cracked passwords. Instead, the focus shifts towards encouraging longer passphrases and leveraging password managers. This update aligns with NIST’s ongoing efforts to adapt to evolving security needs and follows exhaustive analysis of common password weaknesses and attack patterns observed over recent years.

Technical Details

The new guidelines, documented in NIST Special Publication 800-63B, advocate for significant changes in managing and securing passwords. The guidelines recommend against periodic password resets unless there is evidence of compromise. This change is based on studies indicating that frequent mandatory changes do not significantly improve security and can potentially weaken it.

The guidelines also emphasize the use of password blacklists to block commonly used and breached passwords. For example, passwords like "Summer2023" or "Password123" should be banned. Systems should disallow consecutive characters or sequences from being used and should cross-reference against lists of known breached credentials. The guidelines suggest incorporating multifactor authentication (MFA) as a supplementary control.

Important to note is the guideline's alignment with known CVEs such as CVE-2021-34527, which underline the risk of outdated password habits in vulnerable systems. The updated guidelines aim to reduce the effectiveness of brute-force attacks and credential stuffing by encouraging the use of longer passphrases and MFA.

Impact

Organizations, particularly those adhering to NIST standards, must revisit and potentially overhaul their password policies. This includes federal agencies, defense contractors, and companies within critical infrastructure sectors. The potential impact of not adapting to these guidelines includes increased vulnerability to attacks such as credential stuffing, which could compromise sensitive data and operations.

While the guidelines are not legally binding outside federal agencies, they are widely regarded as best practices and are recommended for adoption by private sectors aiming to bolster their security postures. Companies not aligning with these revised recommendations risk falling behind in their cybersecurity defenses.

What To Do

  • Review and update password policies to remove complexity requirements and promote passphrases.
  • Implement a password blacklist to block weak or commonly breached passwords.
  • Halt mandatory password expiration policies unless a compromise is suspected.
  • Deploy multifactor authentication to add an extra layer of security.
  • Train employees on creating strong passphrases and the importance of using password managers.
  • Perform regular audits of password policies and procedures to ensure compliance and effectiveness.

Security teams should prioritize these changes to align with NIST’s updated guidance, enhancing their defensive posture against password-related vulnerabilities. Keeping abreast of these best practices is critical to safeguarding sensitive data from evolving threats.

Related: