blog archive     the meetup     about     contact me

password sanity

NIST recently released Special Publication 800-63 Revision 3 which deals with password standards. I understand where they are going with these recommendations, and all in all, I agree. I have some thoughts on this release, and there are a few troubling pieces to these new recommendations that I feel need to be mentioned as well.

1. Password complexity is no longer required
I disagree with this one. Passwords that are random are less likely to be in a password cracking wordlist; and we don’t want our passwords to be in somebody’s wordlist, hence the need for randomness. That randomness is called entropy. Password entropy is calculated by first looking at the pool of characters a password is made from. For example, superdupersecureandlongpassword and password both pull from a possible pool of 26 characters in the English alphabet. However one simple change, Password, can increase that pool to 52 characters.

2. Check passwords against known bad databases
When a user creates a password, the site or service should now check that password against a list of known bad (weak) passwords as well as known breached passwords. This is great! And I’ll be shocked if 10% of all authentication mechanisms implement this any time in the near future (if ever). I mean SQL injection is still a thing after 20 years, or whatever it’s been…

3. Password length now enforced
The NIST guidelines now require users to create passwords that consist of a minimum of eight characters and may be as long as 64 characters. This change was made to support the use of passphrases, which I whole-heartedly agree with. Passphrases are what should always be used.

4. No more password expiration
Finally! I have been strongly against scheduled password expiration for a long time, as it does nothing to enhance the strength of a password.

Ultimately, the NIST guidelines are good if they’re taken as a whole. However, in my estimation too many organizations will adopt a subset of the standard and think they are in good shape, when in fact they may have made things worse (ie. loosened complexity requirements, but no checking against known bad databases).

The guidelines are intended to make passwords easier to remember and harder to guess. I think that NIST succeeded in making password policies that enable easy-to-remember passwords. However if orgs don’t salt hashes or check passwords against known bad databases, we’re going to have a lot of easy-to-remember passwords sitting in our wordlists (*whispers* that means they’re easy to crack).