Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management

// // //
02:37 PM
Yaron Zinar
Yaron Zinar
News Analysis-Security Now

NIST Redefines the Good Password

NIST has offered new guidelines for best practices in passwords.

What makes a secure password? The National Institute for Science and Technology (NIST) has released a new set of guidelines that will be required reading for those in government IT -- and highly recommended for everyone else. In general, the new guidelines push for longer passwords (eight characters minimum and support for up to 64 characters), while simultaneously relaxing rules for users in terms of what characters to use. All ASCII characters are to be allowed, but on the other hand, policies no longer require the use of special characters. Since in most cases, special characters add very little complexity to passwords with humans often simply substituting letters with similar symbols (e.g., "@" instead of "a"), it makes it very easily guessed by an attacker and really doesn't provide much additional benefit.

Next NIST adopted a simple but incredibly important shift in philosophy. Password security can't be evaluated in a vacuum, and what happens in the real world has to drive security decisions. For example, the complexity of a password won't do any good, if that password has been compromised in a breach. An attacker will crack that password almost instantly with a dictionary of known passwords. As a result, it's critical for organizations to evaluate their passwords based on dictionaries of common and breached passwords. Likewise, NIST did away with the recommendation for regularly resetting passwords. A password should be reset not based on some arbitrary timeframe, but rather based on real-world signs that it has been compromised.

Jim Fenton, a consultant for NIST, put together a very complete presentation covering all of the changes. The slides of his presentation can be viewed here, or the full video here:

Tips for implementing NIST's new guidelines
While all the new recommendations make sense, they do create some new work for security teams.

Here are the steps security teams will need to take to optimize your passwords based on NIST's best practices:

  1. Create and maintain a database of known compromised or bad passwords. How many passwords is enough? How often does it need to be updated? How often do you check?


  • Consider that the busy work of maintaining a large database of passwords and resetting compromised accounts can all be handled automatically without IT involvement. Automate these processes can be down without having to get IT involved or bother the security team.



  • Automatically maintain a massive database of compromised passwords and reveal any users or accounts using compromised credentials. Better yet, automate a response by either taking direct action such as quarantining the user, or by forcing the creation of a new password for the affected user. Conduct the all-important work of looking for account compromise or the use stolen credentials within your network.



  • Even the best password policy isn't going to stop phishing attacks, spyware, or malware from harvesting and reusing credentials or tokens from a compromised user. Look to a specialized provider to do the continuous heavy lifting by constantly analyzing the behavior of all users, accounts and devices in the network to identify signs of compromise. Once again, the responses to these behaviors can be fully automated.



  • Consider using a SSO (Single Sign-On) solution to manage access to external services and a password manager when SSO is not applicable. Using a password manager helps users choose more complex passwords that are unique for the particular service and in many cases help fight phishing attacks.


Getting beyond the password
While the latest NIST revisions are logical, practical, and welcomed, they are not a panacea. Passwords can only do so much on their own. Users will still need to remember multiple secret phrases, and will still get confused, and will still likely make small easy changes to compromised passwords (HumptyDumpty is cracked, why not HumptyDumpty1). And as mentioned above, passwords get stolen in a wide variety of ways. Even upwards of 30% of passwords that conform to Microsoft rules can be cracked in a short timeframe. The question for security teams is not how to establish a bullet-proof password policy, but rather how to bring additional context to situation and automate secure responses.

For example, if we notice that a user is beginning to behave irregularly, what is the appropriate response? His credential could be compromised and an attack may be in progress. On the other hand, we probably don't want to lock out our users every time they do something unusual. This is a natural fit for a second factor of authentication.

Want to learn more about the technology and business opportunities and challenges for the cable industry in the commercial services market? Join Light Reading in New York on November 30 for the 11th annual Future of Cable Business Services event. All cable operators and other service providers get in free.

If a user acts strangely, you will want to automatically challenge the user to verify identity and then take the appropriate action in response. Ideally you want to create policies for integrating multi-factor authentication into any application, and trigger those policies based on user, role, device being used, and a wide variety of other traits.

Get beyond these static rules to trigger responses based on the risk of the user's observed behavior. Lastly, you will want to take into account unusual behavior by the user, the use of an unmanaged device, or signs of a potential compromise.

In an ideal world, you let the password policy do its job without asking it to solve all things. We need good password policies, but we also have to monitor how our users and their credentials are being used live in our networks. Ideally those two things should work hand in hand.

Related posts:

— Yaron Zinar is senior security researcher at Preempt, pioneer of the industry's first Behavioral Firewall.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The 10 Most Impactful Types of Vulnerabilities for Enterprises Today
Managing system vulnerabilities is one of the old est - and most frustrating - security challenges that enterprise defenders face. Every software application and hardware device ships with intrinsic flaws - flaws that, if critical enough, attackers can exploit from anywhere in the world. It's crucial that defenders take stock of what areas of the tech stack have the most emerging, and critical, vulnerabilities they must manage. It's not just zero day vulnerabilities. Consider that CISA's Known Exploited Vulnerabilities (KEV) catalog lists vulnerabilitlies in widely used applications that are "actively exploited," and most of them are flaws that were discovered several years ago and have been fixed. There are also emerging vulnerabilities in 5G networks, cloud infrastructure, Edge applications, and firmwares to consider.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-03-17
The Bookly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the full name value in versions up to, and including, 21.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that w...
PUBLISHED: 2023-03-17
The WP Express Checkout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘pec_coupon[code]’ parameter in versions up to, and including, 2.2.8 due to insufficient input sanitization and output escaping. This makes it possible for authenti...
PUBLISHED: 2023-03-17
A vulnerability was found in SourceCodester Student Study Center Desk Management System 1.0. It has been rated as critical. This issue affects the function view_student of the file admin/?page=students/view_student. The manipulation of the argument id with the input 3' AND (SELECT 2100 FROM (SELECT(...
PUBLISHED: 2023-03-17
A vulnerability classified as critical has been found in SourceCodester Student Study Center Desk Management System 1.0. Affected is an unknown function of the file Master.php?f=delete_img of the component POST Parameter Handler. The manipulation of the argument path with the input C%3A%2Ffoo.txt le...
PUBLISHED: 2023-03-17
A vulnerability classified as critical was found in SourceCodester Student Study Center Desk Management System 1.0. Affected by this vulnerability is an unknown functionality of the file admin/?page=reports&date_from=2023-02-17&date_to=2023-03-17 of the component Report Handler. The manipula...