Digging into the new NIST password policy recommendations

I've had a few instances recently, where questions around the new NIST password policy recommendations have popped up. It first happened last week when I was at ShowMeCon. The second question for our panel was around the new NIST recommendation for passwords. Then I had someone ask me about it in the comment sections on this site. I feel like there was another instance, but I can't remember it.

I tweeted out the poll above on Twitter. As you can see two-thirds of infosec professionals like it. I am in that camp as well. There was some great discussion on why it's not a good recommendation in the replies to the poll. Dave Chronister was also against it on the panel at ShowMeCon. I decided I wanted to dig into it a little more.

My understanding of it is that NIST recommends increasing the minimum requirement for password complexity and ditching the rotation of passwords every 90 days. The idea being that people are more willing to remember longer and more complex passwords if they don't have to rotate it as often. I've asked some people at work about this and they are in favor of not having to change their password as much.

I know how easy it is to either crack or compromise someone's credentials via a phish. The question I have is if anyone on a penetration test has had their credentials stop working because that person's password was 90 days old (If you've had this experience I would love to hear about it in the comments). In my view this new recommendation improves the user experience while asking them to improve their password. Someone would still need to rotate their password if compromised.

Before we get to far down user experience, lets take a step back and look at what NIST actually recommends. The guideline is NIST 800-63b. This is my first time reading it as I'm writing this post (and having a delicious home-brewed chocolate milk stout).

We're looking at section 5.1.1.1. There it says password lengths, "...SHALL be at least 8 characters in length if chosen by the subscriber." It goes on to say later, "No other complexity requiremnets for memorized secrets SHOULD be impost." There is no mention, specifically, of rotating passwords. My assumption is that it was removed from the documentation. According to passwordping.com it added the requirement to screen for commonly used or easily guessable passwords. Which I see in 5.1.1.2.

Based on that NIST is suggesting we ditch password complexity and rotating passwords, but keeping an 8 character minimum. I'm not sure I'm on board with that. I'd prefer to require longer passwords and ditch complexity and rotation of passwords. I think there needs to be a give and take here with passwords. We'll require less rotation of passwords (they're just enumerating anyways) for longer passwords. That doesn't seem to be the case with the new NIST recommendation.

I like the idea of challenging some of our old ways of doing things in the industry. I recently talked to someone about passwords. They were complaining to me about how many passwords they had to remember. I asked if they were using a password manager. They were not. That was a red flag right there that they were probably using weaker passwords. That also meant they were probably enumerating their password by numbers or characters. Which meant that even if they rotated their password you could probably guess the new one.

I am a big believer in practical security. I think it's a good approach. It's a good balance between meeting people's needs and getting security most of what they want. If ditching the rotation of passwords results in longer and stronger passwords I'm all for it. I like the idea of checking for commonly used or easily guessable passwords. I really like the idea of checking for compromised passwords from a site like Have I Been Pwned?