The best password advice right now (Hint: It's not the NIST guidelines)

Short and crackable vs. long, complex and prone to reuse? The password debate rages on, but this columnist has a change of mind.

passwords / authentication
Getty Images

The contrary password policy recommendations that the National Institutes of Standards and Technology (NIST) released in its Digital Identity Guidelines, Special Publication 800-63-3 has generated much controversy. Although it contains a ton of great, non-controversial authentication information, many consider the new recommendations radically wrong.

My own thinking on the NIST password policy has changed, but before I get into that, let me review what I believe to be the best password policy advice.

What your password policy should be

Here’s what anyone’s password policy should look like, if you don’t have compliance concerns:

  • Use multi-factor authentication (MFA) where possible
  • Where MFA isn’t possible, use password managers where possible, especially if they create unique, long, random passwords for each security domain
  • Where password managers aren’t possible, use long, simple passphrases for passwords
  • In all cases, don’t use common passwords (e.g., “password” or “qwerty”) and never reuse any password between different sites.

The overall problem with this advice is that MFA and password managers don’t work with every site and across all devices. That means that you’ll be left having to use some passwords. If your password manager chooses random, long and complex passwords and that works for some of your devices and not others, then it means you’ll need to remember or record those long and complex passwords for your edge cases.

The contrary password policy recommendations that the National Institutes of Standards and Technology (NIST) released in its Digital Identity Guidelines, Special Publication 800-63-3 has generated much controversy. Although it contains a ton of great, non-controversial authentication information, many consider the new recommendations radically wrong.

My own thinking on the NIST password policy has changed, but before I get into that, let me review what I believe to be the best password policy advice.

What your password policy should be

Here’s what anyone’s password policy should look like, if you don’t have compliance concerns:

  • Use multi-factor authentication (MFA) where possible
  • Where MFA isn’t possible, use password managers where possible, especially if they create unique, long, random passwords for each security domain
  • Where password managers aren’t possible, use long, simple passphrases for passwords
  • In all cases, don’t use common passwords (e.g., “password” or “qwerty”) and never reuse any password between different sites.

The overall problem with this advice is that MFA and password managers don’t work with every site and across all devices. That means that you’ll be left having to use some passwords. If your password manager chooses random, long and complex passwords and that works for some of your devices and not others, then it means you’ll need to remember or record those long and complex passwords for your edge cases.

your new password policy chart CSO / IDG

Why NIST changed its password policy

So, you’ll have to make up your own passwords, no matter what. If you make them long, there’s a chance you’ll reuse them or slight variations between sites. If we all started to use long, but simple passphrases without any complexity, most of us would probably use simple English words. Just like the problem we have with password complexity today--where complexity really isn’t complexity (because most humans use the same 32 characters)--we’d probably develop passphrases that hackers could more easily guess. We’d go from a bad password like "Password" to "ThisIsMyPassword," or something like that.

That reuse and lack of complexity are what NIST believes is the greater risk that its guidelines seek to avoid. “We know that faced with the latter people just make simple substitutions. A list of 20 six-character lowercase passwords gets about 3 percent of accounts,” says Cormac Herley, principal researcher with Microsoft Research. “A list of 20 eight-character [complex] passwords gets about 2 percent. Never mind worrying about GPUs and offline attacks, this stuff won’t even stand up to a half-hearted online guessing attack. If you have a simple, non-iterated, salted hash for storing passwords, there is nothing I know of that will give confidence that user-chosen passwords to withstand offline attack. If we mandated 16-character passphrases, I’m pretty sure some phrases would become common enough to give an attacker at least enough accounts to get a toehold. The defense against offline guessing is to make sure the file doesn’t leak, use an iterated or memory-hard hash, and have measures to detect and remediate.”

Controversial NIST reversal

For decades, established password policy advice said to require long and complex passwords, which were changed at regular intervals. How long, complex and frequently changed passwords should be was debated, but not the underlying tenets. The finalized version of NIST’s password policies, released in June 2017, reversed the world’s long-standing password tenets. Now, NIST says it’s OK to use shorter passwords with no complexity, and passwords never need to be changed unless they are compromised.  

NIST’s new policies were driven by how most passwords are compromised today versus yesterday. From the early decades of computer hacking, most passwords were compromised by password guessing or cracking (i.e., converting between a non-plaintext form to a password’s plaintext form). In that type of attack environment, long and complex passwords made sense.

Today, most passwords are compromised by humongous compromises of the underlying password storage databases and social engineering. Hundreds of millions of logon name/password combinations are on the Internet that anyone can easily access or purchase. These hacking methods do not care about the length or complexity of your password. Additionally, the length and complexity requirements increased the chances that users would re-use the same passwords over unrelated sites. I read a study that claimed the average user has six or seven passwords that they reuse on over a 100 websites. That’s a recipe for disaster. NIST essentially said given the changing battlefield that following the old recommendations would make you more likely to be compromised because of those decisions than not.

This was such a change that nearly every computer professional (besides me) refused to believe it. I’ve not spoken to a single computer security expert who wanted to follow the new guidelines. More importantly, not a single computer security regulation or guideline body (PCI-DSS, HIPAA SOX, etc.) that I contacted had plans to update their required password policies.

Bring on the password debates

I’m a huge supporter of NIST. I’ve worked with many of the people who debate and set new NIST policy. They are dedicated, thoughtful people, who want to improve computer security. The data behind previous NIST decisions was usually compelling. So, I saw no reason to disagree with NIST just because everyone’s gut feelings didn’t want to accept the new advice. I’m a data-driven guy.

I wrote several columns in support of the new NIST advice, and even had a few public debates including with my co-worker and friend, Kevin Mitnick. Kevin had great arguments, not the least of which was proof that using short passwords could easily get you hacked. Since then, he and others have brought more evidence and cases to support their contention that everyone should not only follow the old advice, but make sure passwords are even longer (at least 12 to 16 characters).

Don’t follow NIST’s new password advice

I was wrong. You should not follow NIST’s new password policy. As I dug into the data behind NIST’s new password policy, I found it couldn’t support the new conclusions. Some data supported the new policy, but it wasn’t as clear cut as I had seen in the past.

The data I did find led me to drop my support of the new NIST password polices. Most importantly, NIST’s advice is contingent on the newer, evolving methods of password attacks where passwords (or their hashes) are simply stolen from higher-privileged previous attacks. These types of attacks are still the rule right now, but remote attackers can easily get your passwords and hashes without any previous privileged attack.

I can send you a rogue link in an email, which if clicked on, can reveal your password or password hash. For some examples, simply opening the email in preview mode is enough. Microsoft released a patch to prevent the password leaks, but almost no one is applying it or any of the other defensive mitigations that would stop it. Most companies are vulnerable to this type of attack.

This was before I learned about the latest Adobe Acrobat exploit, which was just patched on February 25. An Adobe Acrobat document could contain an SMB link that would be automatically launched when a user opened the PDF document. The exploit didn’t trigger Acrobat’s normal warning message asking the user to approve URL retrievals and could reveal the user’s NT hash just like the previous discussed exploit above. Any reasonable person has to believe that any other document format allowing embedded UNC pathways could be susceptible and leak the user’s password hash.

How many potential victims might click on a rogue link in an email? Well, a huge number. Social engineering and phishing have been responsible for the vast majority of successful malicious data breaches for many years, and it isn’t likely to change anytime soon. Most computer security reports say social engineering and phishing are responsible for 70 percent to 90 percent of malicious data breaches. These types of attacks are the number one threat. As long as that success rate is coupled with the ability to steal password hashes remotely in an unprivileged attack, I don’t see how anyone can recommend anything other than long and complex passwords to offset the risk.

Eight characters are not enough

NIST’s minimum acceptable password size of eight characters is no longer acceptable. Password crackers get faster and better over time. Until recently, an eight-character, complex password was deemed not super secure, but acceptable for most organizations.

This assumption was crushed recently when HashCat, an open-source password hash cracking tool, announced that any eight-character NT password hash could be cracked to its plaintext equivalent in 2.5 hours! Good luck protecting your environment with an eight-character password.

Mitnick has regularly demonstrated successful cracking of super-complex passwords from 12 to 16 characters, and he doesn’t have the fastest password cracking rig in the world. So how long is long enough?

The answer is longer is better, but the reality is that passwords alone aren’t sufficient for most corporate networks and to protect sites that contain your financial or personal information. Use passwords, but not on things you really need to protect or care about. Enable MFA on anything that contains something of real value to you…at least until we get to better, stronger, more seamless authentication methods that will likely eventually win out.

When do you change your password?

NIST says change your passwords only when you think you’ve been compromised, instead of a routine period of time, like every 45 to 90 days, as was previous best practice. The problem with this is it’s far more likely that you don’t know that your passwords have been compromised or when.

I’ve been using a password manager that checks real-time on every password I create and use against known and found password breaches. I can tell you that out of my over 150 passwords, many of them were previously compromised and I was completely unaware. During the last few months, another handful have been compromised. Had it not been for the password manager’s automated checks, I would not be aware of it.

Don’t ignore NIST completely

While I do not agree with NIST’s take on passwords, the rest of its identity guidelines are solid. They encourage admins and users to move away from simple logon passwords to stronger authentication methods. They discourage the use of SMS messaging as a strong authenticator and recommend more sophisticated methods. They also recommend various authentication strengths for different scenarios that make lots of sense.

However, I can no longer tell anyone to follow NIST’s new password recommendations. I was wrong in my initial enthusiasm.

This story, "The best password advice right now (Hint: It's not the NIST guidelines) " was originally published by CSO.