Are your outdated security policies making your users’ passwords worse?
Over the past decade, security experts have learned that many common password policies don’t lead to stronger passwords. Quite the opposite, in fact. Strict complexity rules and periodic forced password-change policies make passwords harder for people to remember, encouraging risky shortcuts like choosing predictable passwords or reusing a few favorites across hundreds of accounts… Sound familiar? Many of us are guilty of these habits.
But those shortcuts are exactly how cybercriminals worm their way in. Attackers systematically test credentials stolen from other data breaches. Reused passwords open the door, and with the help of automated account checking tools, even unsophisticated criminals can easily blitz hundreds of targets.
That’s why the most recent password guidelines created by the National Institute of Standards and Technology (NIST) take human behavior into account, incorporating lessons learned into policies that encourage strong passwords and mitigate risk. For enterprises, these changes can help reduce costs from account takeover, data theft, and online fraud — but they can be challenging and resource-intensive to implement.
SpyCloud has worked hard to build solutions that reduce that burden. Many SpyCloud customers already benefit from the automated detection and response capabilities provided by Active Directory Guardian to apply NIST guidelines to their employees. Today, we expanded our Consumer ATO Prevention offering to make it easier to apply NIST password guidelines to consumer accounts with our new Password Exposure API. Enterprises can prevent consumers from choosing weak or exposed passwords by checking them against billions of previously-compromised passwords in SpyCloud’s database, helping to reduce account takeover and online fraud.
Aligning your organization’s password policies with the latest NIST guidelines will help your employees and consumers create stronger passwords and reduce the risk of account takeover. We’ve condensed the recommendations from NIST below, starting with some good news.
Let Your Directory Service Do Most of the Heavy Lifting
That’s right. You can enforce basic password policies for your employees through most directory services — or in the case of consumer accounts, within your own application. These include:
- 8-character minimum
- Allow more than 64 characters
- Allow (but don’t require) special characters
- Limit failed login attempts
Only a few recommendations, such as determining whether passwords have been exposed in a third-party breach, require outside enforcement. More on that at the end of this post.
Human-Friendly Password Policies: What Not to Do
Because the latest NIST guidelines override decades-old beliefs about what makes a strong password policy, they offer pretty significant guidelines around ways to discourage users’ historically bad habits.
Don’t require password complexity
NIST reverses older guidance by advising against requiring composition rules, such as using a combination of letters and symbols. In theory, a mix of letters, numbers, and symbols can increase the difficulty of cracking a password. In practice, however, this requirement led users to create shorter passwords that are easy for criminals to crack.
For example, a user can slip by most complexity requirements with a password like ‘P@ssw0rd!’ Criminal account-checking tools automatically test for this ‘leet speak’ — the practice of replacing letters with numbers or special characters that resemble letters. Worse, users often reuse variations of their ‘secure’ password across multiple services, exposing all those accounts to further risk.
Don’t force arbitrary password changes
This includes the common policies like password expiration every 90 days. This requirement makes it harder for users to remember passwords and encourages bad habits such as choosing weak passwords, rotating through a set of familiar passwords, or ‘updating’ existing passwords with trivial changes.
Password rotation is a boon to criminals. Criminals know some users will inevitably cycle through older passwords, including those that have been exposed in previous breaches. That’s one reason criminals will patiently test stolen credentials against other accounts over the course of months or even years.
Don’t use password hints or reminders
Users often underestimate the risk of providing too much information in a reminder field, which then makes it easier for a criminal to guess the password and access the account. Some actually go so far as to set their password as the hint.
Don’t use knowledge-based authentication
The answers to knowledge-based authentication prompts, such as asking for the model of a user’s first car, are often available through public records or social media. Also, users may be prompted to answer the same questions across multiple services, encouraging credential reuse. If a criminal has access to other information about the user, this type of authentication may be easy to guess.
Help Your Users Help Themselves
Okay, you know what not to do. These NIST-approved usability guidelines encourage users to create strong passwords, without directly implementing additional requirements.
Offer the ability to view the full password
Allow users to select an option to view their full password, which can help them check their entry for errors. Optionally, NIST suggests showing one character at a time as the user enters it to help mobile users avoid mistakes.
Allow users to paste in passwords
The ability to paste passwords facilitates the use of password managers, which NIST says can increase the likelihood that users will choose stronger passwords.
Provide password creation guidance, such as a password strength meter
Provide password strength guidance to users as they create a password. This often takes the form of a password-strength meter. While this is not an out-of-the-box feature with Active Directory, it can be had through third party tools, including many password managers. Organizations can also provide employees with password strength reference materials.
Establish Essential Security Controls
Generate secure PINS
If you generate pins or passwords on behalf of your users, NIST requires that they be at least 6 characters long and “generated using an approved random bit generator” as described in NIST Special Publication 800-90A.
Encrypt passwords during transmission
This NIST requirement to “use approved encryption and an authenticated protected channel” when transmitting user passwords reduces the risk that a third party might intercept your users’ passwords. If your network communication is not secure, anyone who connects can see its traffic, and when login information is sent, the password can be seen in plaintext. For external users, make sure that your login portal has a valid SSL certificate to ensure network communication is encrypted.
Salt and hash stored credentials
NIST’s guidelines for salting and hashing stored credentials include:
- Pick a modern hashing algorithm (PBKDF2, bcrypt, etc.) that is resistant to decryption efforts
- Pick a long enough salt for each hash
- Make sure that the particular hashing algorithm is also using a pepper
Ban Commonly Used Passwords
Don’t allow users choose “commonly-used, expected, or compromised” passwords, such as:
- Passwords obtained from previous breach corpuses
- Dictionary words
- Repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’)
- Context-specific words, such as the name of the service, the username, and its derivatives
Criminals actively use these types of common and compromised passwords in account takeover attacks. According to the 2020 Verizon Breach Report, stolen credentials have been the leading hacking technique for the last four years.
Following NIST guidance by blocking users’ the ability to choose these types of passwords is one of strongest ways organizations can protect themselves and their customers. However, this functionality requires access to a comprehensive, regularly-updated source of passwords that should be blocked, as well as the ability to check user passwords at scale. This is where a trusted partner can help.
You Don’t Have to Do It Alone
While many of NIST’s recommendations can be satisfied easily using internal resources and minimal effort, there’s one glaring exception: checking for common or previously-compromised passwords.
Because most security teams don’t have the resources to research and operationalize breach data on their own, relying on a partner who specializes in account takeover prevention can make all the difference. As you consider providers, look for these capabilities.
Check users’ passwords against an evolving list
A static list just won’t cut it, given how often new breaches occur. For context, SpyCloud researchers add roughly a billion new breach assets to our database — every month. This ever-evolving list continually adds to your risk exposure.
Access new exposures as soon as possible after a breach
That’s because by the time a breach has made the news, the worst damage has already been done. The most lucrative time for criminals is in the first 18 months or so after a breach; during that time they restrict access to the stolen info while they work to crack passwords and monetize stolen credentials.
Collect breach data using HUMINT
Breach data gathered by scraping and scanning the dark web offers limited protection — by the time breach data makes its way to these public sources, the worst damage has already been done. Human intelligence techniques are the only way to identify stolen credentials early in the breach timeline, while you can still act in time to protect your users.
NIST password guidelines provide a roadmap for secure, human-friendly password policies that combat the most common ways criminals break into users’ accounts.
SpyCloud enables remediation when it really counts — before criminals have illegitimately accessed corporate systems and data or siphoned cash and loyalty points from your consumers.