NIST's guidelines for creating passwords
The NIST sets guidelines on creating and managing strong passwords. These were set based on research on password security and usability.
- Password length over complexity: The NIST recommends a minimum password length of eight characters for user-generated passwords and six characters for machine-generated passwords. The maximum allowed length should be at least 64 characters.Do not require password complexity rules such as special characters, uppercase/lowercase, or numbers. These usually lead to predictable patterns that can make brute force attacks a piece of cake for attackers.
- Use of ASCII characters: Let users use any ASCII character they want in their passwords, even spaces. It gives them more options and makes passwords stronger.
- Screening passwords: Check new passwords against lists of common or hacked ones. If it's on the list, ask the user to try again. This helps keep the weak passwords out.
- Avoiding password changes: Don't make people change their passwords every few months. Only ask for a new one if you think someone might have hacked into their account.
- Knowledge-based authentication: Get rid of those "What's your mother's maiden name?" questions. They're not as safe as we thought, given that answers can be easy to guess or research through social engineering. Also, users can forget the answers to the questions or use the same one for multiple accounts, making it both insecure and unreliable.
- Use of password managers: Let users paste in their passwords or use password managers. With password managers, you can create unique passwords for different accounts and store them. Not having to remember them while keeping it all safe. Quite a win, isn't it?
- Enforce rate-limiting : Rate-limiting is a technique used to control the number of requests or actions a user or system can make within a specified time. Here, instead of locking people out after a few wrong tries, slow down how often they can attempt to log in. It stops hackers without frustrating regular users.
- Implement MFA: When you can, add an extra step to logging in, like a code sent to your phone. Since it's to keep your account safe, the pain's worth it, and more importantly, a necessity.
- Feedback: If someone's password can't be approved, tell them why.
- Random bit generators: When the system makes a password for someone, use a properly random method. No birthdays or "password456" or "YourNameAndDateOfBirth". These will only simplify brute force attacks.
- Hash passwords: Turn passwords into an unreadable form before storing them.To elaborate, password hashing is a cryptographic process that turns plaintext passwords into fixed-length strings of characters called hashes. It's a one-way function that secures passwords by making them difficult to reverse engineer.
- Enable show passwords: Give people the option to see what they're typing instead of just dots. It helps catch typos and reduces login headaches.
What's with password expiration and resets?
With password expiration, your passwords have a life span or expiration date, and you can keep the possibility of someone guessing even your most secure passwords fairly low. How so? Password expiration drastically reduces the chance of a successful brute force attack.How does that happen? It reduces the chances of your password (the one the hacker guessed) being used to attack your resources.Now, we stumble upon another question here. Password expiration sounds good, but what if I forget to change it before or when the expiration is due? Well, here's some good news: You can have password managers and policies with tools to notify you when it's due. This is an alarm you'd be glad to hear.
Most password policies include expiration and need you to reset your password, owing to avoid situations involving compromising credentials. Resetting passwords can be quite a task; you need to think of one too clever to be guessed. You might add a character or two either in the beginning or the end of your expired password.
Before we get into managing password expiration, you can have another question here. Password expiration isn't recommended and the risks can out weight the positives. Why would we still need it? Password expiration can have alternatives, but given its need and benefits, as discussed, it is here to remain a secure way to keep brute force attacks at bay.
How can you manage password expiration?
Now, let's get into managing password expiration:
Make use of a balanced password expiration policy
- Set reasonable expiration periods (e.g. 6-12 months) instead of frequent changes. Also, use tools to notify users of when expiration is due, so that they can reset their passwords on time.
- Implement longer passwords (more than 8-16 characters) for added security that can be used for longer periods. Also, only enforce immediate password changes when there's evidence of compromise, as recommended by NIST.
Educate users on creating strong passwords
- Train users to create strong, unique passwords of at least 12-20 characters, usage of password managers, and the need to do so.
Implement technical controls
- Make use of MFA to add an extra layer of security beyond passwords. The extra layer can include biometric authentication or an OTP.
- Check new passwords against lists of common/compromised passwords. This can aid in avoiding even the smallest chances of an attach while creating passwords.
- Implement account lockouts after a particular number of failed login attempts.
Simplify the password reset process
- Provide self-service password reset options for users in your organization.
- Ensure IT support is readily available to assist with password resets when needed.
- Consider using automated password change systems.
Continuously monitor for compromised credentials
- Keep tabs on evidence of password compromise through monitoring and threat intelligence.
- Force immediate password changes if a breach or threat is detected.
Focus on overall password security
- Minimize user permissions to reduce the impact of potential password exploitation.
- Use password hashing and salting for secure storage.
- Ban password hints and knowledge-based authentication