NIST Draft Security Guidelines

The National Institute of Standards and Technology has issued a draft document on “Digital Identity Guidelines,”and it contains some surprises if you follow traditional password practices.

Section 5.1 is the relevant section on ?memorized secret authenticators,? more commonly known as passwords or PINs. The advice is based on the latest research, so it’s worth paying attention to even if it’s a change from current practice.


The National Institute of Standards and Technology has issued a draft document on “Digital Identity Guidelines,”and it contains some surprises if you follow traditional password practices.

Section 5.1 is the relevant section on ?memorized secret authenticators,? more commonly known as passwords or PINs. The advice is based on the latest research, so it’s worth paying attention to even if it’s a change from current practice.

  • The minimum length for user-selected passwords should be 8 characters, and ones with 64 characters or more should be allowed. The number of possible passwords goes up exponentially with their length, so a long one is a strong one.
  • Letting the user store a hint about the password is a really bad idea. It makes it easy to remember, but also easy for someone who sees the hint to guess.
  • A service should check the user’s chosen password against a list of easily guessed ones. If there’s a match, the user should be required to pick another one. Too many people will pick obvious ones like ?123456? (which is also too short) or ?password.?
  • Passwords should never be stored directly on the server. Instead, it should store a hash of the password that meets certain minimum requirements. A hash is a value which is algorithmically derived from the password but doesn’t allow the password to be regenerated from it. This way, even if someone gets the password data from the server, the actual passwords aren’t compromised.
  • The number of login attempts in a session should be limited.
  • Password entry should use a secure connection.

Those requirements shouldn’t surprise many people, but now it gets interesting:

  • The service shouldn’t ?impose other composition rules.? That means it shouldn’t require, for instance, digits and special characters. NIST says that ?users respond in very predictable ways to the requirements imposed by composition rules.? Adding a digit to the end of a password or replacing ?o? with ?0? doesn’t do much good.
  • The service shouldn’t require periodic password changes for their own sake. It just makes people choose easier passwords or write them down next to the computer.
  • Users should have the option of seeing their password as they’re entering it. Hiding it is good if others might see the screen, but it makes it hard to enter complex passwords, especially on a mobile phone keyboard where typing errors are easy.

Information theory says that a strong password is one with high entropy. Entropy, roughly speaking, is a measure of randomness. When applied to passwords, it’s measured in bits. The idea is that the number of possible passwords someone would have to guess from is the number of alternatives you can express in that many bits. Each additional bit doubles the amount of work needed to guess the password.

The NIST document, though, finds this concept too vague to be useful and says that methods of calculating entropy aren’t very accurate. A known password has just one bit of entropy, no matter how complex it is. Does ?antidisestablishmentarianism? have a low entropy because it’s a dictionary word, or a high one because it’s long? It’s hard to decide what measure to apply. Instead, NIST addresses several factors that contribute to password strength:

  • Length. As already mentioned, long passwords are much harder to guess than short ones.
  • Complexity. The document discusses this mostly in the negative, i.e., what doesn’t qualify as complex. It mentions that some services get in the way of creating complex passwords by restricting the allowable characters.
  • Generation process. Randomly generated passwords are stronger than user-created ones. Unfortunately, they’re harder to remember. The document suggests that randomly generated passwords or PINs can have a lower length limit than user-generated ones.

Traditional approaches to passwords sometimes frustrate users without making the passwords any more secure. NIST is aiming at an approach that will help people to create reasonably strong passwords without running into serious frustration. Some organizations will need to change their practices to catch up with these recommendations.

White Mountain’s managed services will help your business to maintain a more secure IT operation without frustrating users. Contact us to discuss your needs with us.

Related Posts