CISO ADVISORY PASSWORD POLICY GUIDELINES
Use Dictionaries to Pre-Qualify Passwords
Utilize Multi-Factor Authentication When It Is Supported
When Multi-Factor Authentication is Not Supported, Require 12-Character Minimum Password Length
Require 14-Character Minimum Password Length for Administrative Accounts
Implement Rate Limiting
Require Users to Change All Default Passwords Immediately
As Ronald Reagan once famously said, the nine worst words in the English language are: “I’m from the government, and I’m here to help.” Well, like it or not, the U.S. Government has offered its “help” on how organizations should manage passwords and surprisingly, some of the advice is actually useful.
In May 2016, the National Institute for Standards and Technology (NIST) published draft digital authentication guidelines: Special Publication 800-63-3: Digital Authentication Guidelines and related documents (SP 800-63-3).  From May to September 2016, NIST solicited informal public comment on SP 800-63-3. NIST reported that there were over 3,700 unique visitors to the GitHub repository where SP 800-63-3 was posted and over 250 people submitted comments. Although NIST closed the informal comment period on September 17, it plans to incorporate the informal feedback into a revised draft, and open a formal comment period this Fall.
NIST published SP 800-63-3 shortly after Microsoft released its own revised set of password guidelines. The recommendations made in SP 800-63-3 and Microsoft’s Password Guidance are very similar and that should not be surprising considering that NIST has stated publicly that many of its recommendations are based on Microsoft research. Considering that the recommendations in SP 800-63-3 come from two authoritative sources (NIST and Microsoft), every organization — whether private or public — should pay attention.
So, what great advice does Uncle Sam have for us? Mindful that the specifics of SP 800-63-3 may change as NIST incorporates the comments collected to date, let’s start with the noncontroversial proposals of SP 800-63-3:
NIST: Create User Friendly Password Policies
SP 800-63-3 recommends generally that password policies should be made more user friendly. It suggests, for instance, that applications allow all ASCII and UNICODE characters and eliminate complex “composition” rules (i.e. no more of the “you must use one capital letter, one special character, one Fibonacci number…).
CISO Advisory’s Take: This is a no brainer. Academic study after academic study confirm what most security professionals already know. People are terrible at creating strong passwords. We need to make it easier on people, not harder. We should encourage use of long passphrases (more on this later) and eliminate “composition” rules which simply create a false impression that passwords are strong.
NIST: Use Dictionaries to Vet Passwords
SP 800-63-3 also recommends that all new passwords be pre-qualified against a dictionary that includes known bad words/phrases.
CISO Advisory’s Take. This shouldn’t be controversial. Why would you allow users to select passwords that are known bad? It doesn’t take a computer science PhD to know that “password”, “qwerty” and “123456” are terrible passwords. Yes, using dictionaries increases the potential risk of user frustration (and thus, a decrease in usability), but in our humble opinion the minor cost of user frustration is worth the considerable security benefit. Bottom line, using dictionaries is good common sense.
NIST: Avoid Using Password Hints and Knowledge Based Authentication
SP 800-63-3 recommends, too, that the use of password hints and knowledge based authentication (i.e. what was your high school mascot) be stopped.
CISO Advisory’s Take. While password hints and knowledge-based authentication in theory can be useful, they are in practice insecure. “Favorite food that rhymes with gacho” is a good “hint” in the sense that it will likely result in the user remembering his/her password. Problem is, of course, that anyone can figure out what it is. Mmmm, nachos.
NIST: Multi-Factor Authentication
SP 800-63-3 recommends that administrators utilize multi-factor authentication whenever possible though notably, NIST wants to phase out use of SMS as a second factor in light of recent reports of SMS vulnerabilities.
CISO Advisory’s Take. Hallelujah! We understand the “usability” argument, but the security upside is significant, especially with respect to administrative level access. Sorry, you just can’t convince us that multi-factor authentication should be viewed as optional (it’s 2016 people!).
NIST: Implement Rate Limiting
SP 800-63-3 also recommends that administrators implement controls that limit the number of failed attempts on a single account (100 consecutive failed attempts per account in a 30-day period).
CISO Advisory’s Take. Another no brainer. We can’t think of a good reason why you wouldn’t implement this control. Can you?
NIST: Password Length
While NIST acknowledges the benefit of long passwords, SP 800-63-3 recommends that passwords have a minimum length of 8 characters, with a maximum of no less than 64 characters.
CISO Advisory’s Take. An 8-character minimum is too short, unless multi-factor authentication is supported. As Carnegie Melon’s ground breaking 2011 study showed, password length is the single most significant variable in determining password strength. NIST argued in response to public commentary that the 8-character setting was suitable to defend against online attacks, but the fact of the matter is that it is not impossible to brute force an 8-character password. One could reasonably argue this is “good enough.” But advances in technology will undoubtedly increase the speed by which passwords can be cracked.
Unless multi-factor authentication is supported, we recommend setting the password minimum at 14 characters (or longer!) for administrative accounts, and 12 characters (or longer!) for all other accounts. This guidance is consistent with the recommendations set out in the Center for Internet Security’s Critical Security Controls. The key, of course, is getting users to create unique passwords. We suggest that users stop thinking of a password as a single word, and instead embrace the concept of passphrases. In our experience, even simply using the term “passphrase” instead of password is effective at encouraging users to create long, unique passwords. We also support use of password managers as it’s an effective way to create and store randomly generated, unique passwords.
NIST: Eliminate Password Expiration
Bucking conventional wisdom, SP 800-63-3 also recommends stopping the practicing of forcing users to reset passwords on a defined periodic basis (e.g. every 6 months).
CISO Advisory’s Take. We have mixed feelings on this one. While we understand NIST’s logic — why needlessly force users to change passphrases when there is no indication that there has been a compromise — we feel there is value in asking users to periodically change passwords. From our perspective, NIST is throwing the baby out with the bath water. We agree that changing passwords as frequently as once every 45 days is extreme. But there is a happy medium. We recommend that organizations require password changes either (i) once a year, or (ii) when there is a security event that calls into question the security of passwords.
SP 800-63-3 is a lengthy document(s) and it makes more recommendations than those highlighted here. We encourage email administrators, security professionals and anyone else interested in the topic to review the current draft of SP 800-63-3 and be on the lookout for a revised draft coming this Fall.
In sum, SP 800-63-3 makes solid recommendations for improvements to password management. NIST should be applauded for its efforts. Notwithstanding Reagan’s warning, NIST really has “helped.”
 In response to public commentary, NIST explained that many of its recommendations are based on “An Administrator's Guide to Internet Password Policies" published by Microsoft in 2014.
 See SP 800-63B section 220.127.116.11.
 For example, a 2009-2010 study titled “The Security of Modern Password Expiration: An Algorithmic Framework and Empirical Analysis” by researchers at the University of North Carolina at Chapel Hill confirmed that people choose weaker passwords when they are confronted with password complexity rules and required to change passwords regularly. The researchers noted that people tended to create passwords that followed predictable patterns such as adding special characters to the beginning or end of a root word (@#donuts, then donuts@#, etc.) or using “Leet” speak (i.e. changing a letter with a similar looking character).
 See SP 800-63B section 18.104.22.168.
 See SP 800-63B section 22.214.171.124.
 Numerous security standards require multi-factor authentication for all administrative level access. See, e.g., Center for Internet Security's Critical Security Control 5 – Controlled Use of Administrative Privileges.
 See SP 800-63B section 5.2.2.
 See SP 800-63B section 126.96.36.199.
 Some security researchers have cautioned that there are limits to the findings of the 2011 CMU study because, among other things, the study only compared the strength of 8-character passwords to that of 16-character passwords. Still other researchers have argued that there is no guarantee that longer passwords are stronger because users will tend to select easy to remember passwords (thus, they may choose passwords such as “1234567812345678”). The key, of course, is getting users to create unique passwords. In our experience, administrators can maintain the uniqueness/strength of long passwords when (a) they pre-qualify passwords against dictionaries, and (b) carefully explain to users why a password was rejected and offers tips on creating an acceptable one.
 There are, of course, types of attacks that are effective regardless of a password’s length or complexity such as keylogging, phishing, and social engineering and it’s important for security professionals to implement controls to reduce these risks too.
 See Center for Internet Security’s Critical Security Control 5: Controlled Use of Administrative Privileges.
 See SP 800-63B section 188.8.131.52.