Digging into the new NIST password policy recommendations

I've had a few instances recently, where questions around the new NIST password policy recommendations have popped up. It first happened last week when I was at ShowMeCon. The second question for our panel was around the new NIST recommendation for passwords. Then I had someone ask me about it in the comment sections on this site. I feel like there was another instance, but I can't remember it.

I tweeted out the poll above on Twitter. As you can see two-thirds of infosec professionals like it. I am in that camp as well. There was some great discussion on why it's not a good recommendation in the replies to the poll. Dave Chronister was also against it on the panel at ShowMeCon. I decided I wanted to dig into it a little more.

My understanding of it is that NIST recommends increasing the minimum requirement for password complexity and ditching the rotation of passwords every 90 days. The idea being that people are more willing to remember longer and more complex passwords if they don't have to rotate it as often. I've asked some people at work about this and they are in favor of not having to change their password as much.

I know how easy it is to either crack or compromise someone's credentials via a phish. The question I have is if anyone on a penetration test has had their credentials stop working because that person's password was 90 days old (If you've had this experience I would love to hear about it in the comments). In my view this new recommendation improves the user experience while asking them to improve their password. Someone would still need to rotate their password if compromised.

Before we get to far down user experience, lets take a step back and look at what NIST actually recommends. The guideline is NIST 800-63b. This is my first time reading it as I'm writing this post (and having a delicious home-brewed chocolate milk stout).

We're looking at section 5.1.1.1. There it says password lengths, "...SHALL be at least 8 characters in length if chosen by the subscriber." It goes on to say later, "No other complexity requiremnets for memorized secrets SHOULD be impost." There is no mention, specifically, of rotating passwords. My assumption is that it was removed from the documentation. According to passwordping.com it added the requirement to screen for commonly used or easily guessable passwords. Which I see in 5.1.1.2.

Based on that NIST is suggesting we ditch password complexity and rotating passwords, but keeping an 8 character minimum. I'm not sure I'm on board with that. I'd prefer to require longer passwords and ditch complexity and rotation of passwords. I think there needs to be a give and take here with passwords. We'll require less rotation of passwords (they're just enumerating anyways) for longer passwords. That doesn't seem to be the case with the new NIST recommendation.

I like the idea of challenging some of our old ways of doing things in the industry. I recently talked to someone about passwords. They were complaining to me about how many passwords they had to remember. I asked if they were using a password manager. They were not. That was a red flag right there that they were probably using weaker passwords. That also meant they were probably enumerating their password by numbers or characters. Which meant that even if they rotated their password you could probably guess the new one.

I am a big believer in practical security. I think it's a good approach. It's a good balance between meeting people's needs and getting security most of what they want. If ditching the rotation of passwords results in longer and stronger passwords I'm all for it. I like the idea of checking for commonly used or easily guessable passwords. I really like the idea of checking for compromised passwords from a site like Have I Been Pwned?

InfoSec links June 13, 2014

Safely Storing User Passwords: Hashing vs. Encrypting - Michael Coates - Dark Reading

A good description on the difference between symmetric encryption and hashing and some of the process involved in protecting passwords with those two methods.

Peek Inside a Professional Carding Shop - Brian Krebs - Krebs on Security

Krebs takes us on a wonderful tour of the professional carding shop "McDumpals." It's got the McDonalds arches and everything. It's a good read if you want to learn more about where stolen credit card information goes.

OpenSSL DTLS Fragment Out-of-Bounds Write: Breaking up is hard to do - Brian Gorenc - HP

A new vulnerability in OpenSSL has been found. This one isn't as scary as Heartbleed, but systems do need to be checked and patched. I know that Cisco has a long list of devices affected by this and that VMWare recently released a patch for ESXi 5.5 for the vulnerability. The article itself takes an in-depth technical look at the vulnerability.

This post first appeared on Exploring Information Security.

Safety Starts With Strong Passwords

This is a post I wrote for work talking about how to create a strong password.

Creating a strong password is one of the best things you can do to keep both yourself and your accounts safe, both at work and at home. However, creating a strong password is not the easiest thing to do and requires a little bit of thought.

If you choose a long string of random characters, the password is strong but easy to forget. If you choose a much shorter password without any random characters, then it’s easy for someone to guess. The idea is to find a balance between the two. A recent study of passwords that had been compromised, showed the top 10 worst used passwords were:

  1. 123456

  2. password

  3. 12345678

  4. qwerty

  5. abc123

  6. 123456789

  7. 111111

  8. 1234567

  9. Iloveyou

  10. adobe123

Fortunately, most places have a set of password requirements designed to keep your information safe. That does create a bit of a challenge for users because you are required to change your passwords every three months. Here are some tips that will help make the seemingly daunting task of creating strong and memorable passwords, a little easier.

Pick a Theme

Most organizations will require a password to be at least eight characters—with  at least one special character and one number. Try to think of something in your life, non-work related, that has all three of those elements.

Some examples include:

  • Restaurant menu

  • Retail stores

  • Hardware stores

  • Legal documents

  • Food stores

Once you have a theme, start mixing and matching numbers in a way that you can remember. For example, Chicken Strips for 14.99 from a restaurant could be ChSt14.99 or ChcktRips14.99 or Ch1ck4Nst9i9s!

There are thousands of different passwords waiting to be thought up from everyday life. The one caveat is, that if you create a password from your everyday life, make sure you’re not posting it all over your social media site. It’s pointless to use chicken strips as part of a password if you’re tweeting about it for the world to see.

Pick a Phrase

Pick a phrase and then use a combination of letters, numbers and special characters to craft your password. For example, Take The Bull By The Horns could be T-tB-b-TH0 or T8k-7@buLL-bi*7-h0rns or T-T@8’8@T-H0. Be intuitive about it and craft it in a way that you can easily remember it. The same rule applies here; don’t use your own personal catchphrase that’s on your social media profile. Don’t use anything obvious because phrases are easily searchable, especially if they’re popular.

Other Ideas
The two suggestions above are only a couple of ways to create strong and easy- to-remember passwords. It just takes a little thought on the front end. Find something that works for you, and once you do it’s much easier to change and improve on a regular basis.

This post first appeared on Exploring Information Security.