Alert essentials:
The National Institute of Standards and Technology (NIST) approves using passwords up to 64 characters in length and does away with complexity recommendations.
Detailed threat description:
To enhance security practices, NIST has updated its password directives by removing complexity recommendations and the need to change passwords frequently. NIST 800-63B subsection 5.1.1.2 requires a password to be at least 8 digits long, but 64 is preferred. ASCII, the space character, and Unicode may be used when updating policies.
Password ‘hints’ shall not be stored anywhere accessible to unauthorized personnel, and verification security questions such as “What was the name of your favorite teacher?” are no longer recommended.
Updated guidance recommends utilizing a password blacklist to verify that chosen passwords have not been captured in previous leaks. Strong encryption and the use of password managers are also among the updated specifications. Password changes are only required if a password or account has been compromised.
New standards include:
- Password length of 8-64 characters is recommended
- Nonstandard characters are allowed
- Long passphrases are encouraged
- Verify that chosen passwords do not match entries in the prohibited password dictionary
- A password reset is required only if the password is compromised or forgotten
- Multifactor authentication is encouraged in all applications
Impacts on healthcare organizations:
Once these updated NIST standards are adopted, users will appreciate not having to change their password on a predefined schedule.
Regular password changes create headaches for users who must continually generate and remember new passwords. The new NIST guidelines recommend password resets only in cases with a suspected threat rather than forcing resets on a set schedule.
Recommendations
Engineering recommendations:
- There are open-source repositories of compromised and commonly used passwords, such as “SecLists” on GitHub
- An example password validation tool based on SecLists, “NIST Bad Passwords,” is available on Github15 and can be evaluated as a proof of concept for individuals interested in dictionary implementations
Leadership/ Program recommendations:
Review NIST changes and consider modernizing password policies for the organization
References:
- NIST: https://pages.nist.gov/800-63-3/sp800-63b.html#memsecret
- NIST Bad Passwords: https://cry.github.io/nbp/
- Pwned Password Check: https://haveibeenpwned.com/Passwords
- RockYou2024 Password Leak: https://www.techrepublic.com/article/worlds-largest-password-leak/
