The NIST 800-63b password guidelines include password policy changes that can improve everyone’s experience with passwords, including eliminating the forced periodic password reset.
The most publicized recommendation is throwing away password complexity rules and this recommendation is still hotly contested on many security forums. However, what really catches the attention of most Active Directory and system admins, is the instruction from NIST to not expire passwords. Forced monthly, quarterly or periodic password resets are a sore point for many employees.
Moving to a policy that eliminates periodic password resets has many benefits:
Why Did We Start Enforcing Periodic Password Resets?
Before exploring cutting periodic password reset policies, let’s consider the background of password expiration policies. The original goal of requiring frequent password changes in the mid 2000’s was to improve security. If a password is valid for less time, the attacker who discovers it has a shorter window to attack. This was an effective approach because when this policy was first recommended, employees had fewer accounts to log into and were able to memorize most of their passwords.
Password Reset Effectiveness and Side-Effects:
A Forrester Research study cites that 77% of IT Departments expire passwords for all staff on a quarterly basis. Forrester also cites that it costs $70 of IT Help Desk labor for a single password reset. That is a significant percentage of the IT Help Desk budget. But businesses are discovering that resetting passwords is expensive and to top it off, users hate when their password expires because they have a plethora of online accounts to access in this day and age.
Mercifully, in 2017, NIST confirmed what many in the industry already knew. Changing passwords doesn’t improve security, so why cause all the headache for users and IT staff?
NIST explains why in the NIST 800-63B FAQ “Users tend to choose weaker memorized secrets when they know that they will have to change them in the near future.” Furthermore, a UNC study also found that if people have to change their passwords every 90 days, they tend to use a pattern and they do what we call a transformation. They take their old passwords, they change it in some small way, and they come up with a new password (for example, Abc123! becoming Abc1234!). Forced periodic password resets produce weak passwords.
Based on these conclusions, most organizations are now actively moving to password policies that don’t expire.
What Should Organizations Do Now?
For this new policy to work effectively, organizations must prevent users from selecting “commonly-used, expected, or compromised” passwords (part of the NIST 800-63b guidelines).
The reason for this is simple. Hackers use cracking dictionaries and specialized hardware to guess passwords. Hackers create cracking dictionaries from passwords people have chosen before. They start with compromised passwords available from the many public data breaches. Combined with simple variations, these dictionaries include all the most commonly chosen passwords. It’s important to recognize that cracking dictionaries continue to evolve. It’s not enough to use a static list of bad passwords as new passwords become compromised on a regular basis due to daily data breaches and leaks.
Following the NIST guidelines involves two steps:
1- The first step is to check passwords when they are being created.
NIST guidelines state: “When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised.” NIST 800-63B 5.1.1.
For organizations using Active Directory, an Active Directory Password Filter is the best approach. This adds a password policy to the operating system. That allows it to work everywhere a password change happens. This includes third-party applications such as SSO or IAM tools.
2- The second step is being able to detect if the password becomes unsafe later. NIST explains:
“Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.” NIST 800-63B 188.8.131.52
Unfortunately, standard directory plugins and tools do not meet all the criteria above.
The limitation of a password filter is that it only checks at creation or reset. Passwords that were safe yesterday, may be vulnerable tomorrow. The NIST password guidelines also requires a way to detect evidence of compromise in an ongoing fashion.
The Best Approach
The best approach requires that passwords are checked against a continually updated blacklist during all stages of the password and have a tangible action after compromise is detected. This is what you should look for:
With this approach, it is only necessary to force a change when the password is found to be no longer safe instead of the forced periodic password resets. The benefits of this policy include the following:
For more information about tools that can help, visit the Enzoic website.