My opinion has always been that unnecessary mandatory password changes are bad. It forces people to choose a new (easy to remember) password. A few days ago The NIST has published the finalized version of their SP 800-63 Digital Identity Guidelines. These guidelines confirm what most security experts have been saying for the last few years.
The National Institute of Standards and Technology (NIST) is a measurement standards laboratory and a non-regulatory agency of the United States Department of Commerce. Its mission is to promote innovation and industrial competitiveness. Their new four-volume series of documents outline how systems should handle account security.
A few important recommendations are:
Do not require that memorized secrets be changed arbitrarily (e.g. periodically).
This might be a surprise to some people, but it’s something most security experts have been saying for ages. Changing a password should only happen if:
A) The User requests a password change.
B) The password is (possibly) compromised.
Forcing people to change their password can lead to people choosing weaker, easier to remember passwords and changing their passwords in predictable ways that attacks will be able to guess easily.
Do not impose other composition rules on memorized secrets.
According to NIST Humans have only a limited ability to memorize complex, arbitrary secrets, so they often choose passwords that can be easily guessed. Most services force you to use a password constructed using a mix of character types, such as at least one digit, uppercase letter, and symbol.
However, analyses of breached password databases reveal that the benefit of such rules is not nearly as significant as initially thought, although the impact on usability and memorability is severe. For this reason, you should focus on password length, not complexity.
Allow at least 64 characters in length to support the use of passphrases.
Since passwords are stored as a hash value, there is no reason whatsoever why there would be a limit on the password length. The NIST suggests you should allow passwords of at least 64 characters in length. Passwords should never be truncated. The idea of allowing long passwords is to support the use of passphrases.
All printing ASCII (RFC 20) characters, Unicode (ISO/ISC 10646) characters and spaces should be allowed.
Like stated above, since passwords are stored as a hash value, there shouldn’t be any restrictions regarding the characters you can use. Allow the user to use a smiley in their password if they want to.
Memorized secret verifiers SHALL NOT permit the subscriber to store a “hint” that is accessible to an unauthenticated claimant.
Password hints are bad. If you know a person good enough there is a good chance you are able to guess the password by looking at a password hint. Even if you don’t know the person, a lookup on the internet might be enough to figure it out. If you look at the top 100 password hints from the Adobe leak (pastebin link) you will be surprised what people are using. Hints like “Name of my pet”, “Birthday” and “Name of my Daughter/Son” are extremely common.
Compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised.
While you shouldn’t impose composition rules on the users, that doesn’t mean you should let them pick known bad passwords. You should check the chosen password against a list of known bad passwords. Block users from picking passwords like “password”,”123456″,”qwerty” or “baseball”. Just make sure to let the user know why the password they have chosen is not possible. I would suggest you get a list of “top x most used passwords”, hash them and store these in a database, then check the choice of the user against this list.
In conclusion, what is the recommended password policy?
- Do not require a mandatory periodically password change.
- Do not impose composition rules.
- Allow passwords of at least 64 characters in length.
- Allow all ASCII and Unicode characters including spaces.
- Do not offer password hints.
- Do not allow known bad passwords.
Over the last years, we have learned a lot about passwords and how people are using them trough hacks and leaks. If something has become clear is people use easy to remember and easy to guess passwords. The last thing you should do is make it hard for users to remember their passwords. A password safe is a great way to go if you want long and complex passwords, but if you want the user to chose his own safe password you should follow these guidelines.
|“Password Strength” by Randall Munroe (XKCD) is licensed under CC BY-NC 2.5|