National Institute of Standards and Technology (NIST) has released a set of Digital Identity guidelines mid-last year and over the last 2 months am starting to see interest and discussions around the new guidelines covering Password Security especially from Corporate organizations. Writing this blog post to outline my personal thoughts on their guidelines around Password security distilled through a few conversations with fellow security professionals.
- Overall, the recommendations heavily rely on research which is 6-7 years older and is premised on models which some within the broader Security community have contested. One aspect to keep in mind is the fact that the report they based the password guidelines on engineered effectiveness of actual passwords from a few large security breaches which have already taken place.
- The guidelines suggest removal of existing max length restrictions to as high as 64 characters. However, it’s not the length of the password itself but randomness which improves the odds of being un-crackable. For example a 60 character password can have the same odds of being cracked as a password with 13 characters based on the character combinations. The revised NIST guidelines don’t have any guidance around improving randomness.
- The server side password blacklists recommended can help against Brute force attacks. However, that comes at an additional cost of maintenance of the blacklist and brings in a variety of new variables into play within the password life-cycle which now have to be factored-in to be effective in practice. Although this might make sense for federal systems (cost benefit wise) the target audience for the guidelines, I don’t see this as a one size fits all item and haven’t found any statistical or empirical analysis/studies of this demonstrating a clear cost benefit index to be seen as a blanket guideline for all systems.
- MFA (multi factor authentication) recommended does go a long way in helping solve the security challenges and is in-fact one of the biggest take-ways from guidelines. CA SSO already supports 2 Factor authentication and if you are a looking to expand and offer stronger MFA capabilities, definitely recommend exploring CA's advanced authentication offering to supplement CA SSO.
- The other important aspect of the guidelines was the end user usability. The past NIST guidelines from early 2000s suggested force password changes, password composition rules etc. which have not been of any real benefit from a security standpoint. So, doing away with these password security/policies suggested by the past set of guidelines will improve the end-user usability.
To conclude, the guidelines provide a comprehensive lens to look at security around Digital Identities and examine existing security systems but definitely recommend deeper analysis on a case-by-case basis to see if a guideline makes sense contextually for your organization before implementing them.