What are the best practices in password management?
Every few years, the National Institute of Standards and Technology revises its Digital Identity Guidelines, which include password best practices. The revisions are greeted with consternation by some because the guidance can run counter to long-cherished beliefs about what constitutes a good password and a good authentication system.
NIST takes into consideration both the theoretical aspects of authentication and the practical human aspects. There’s little benefit in instituting “secure” systems that are so complex no one will use them. In some cases, a theoretically superior system can be practically inferior.
All of which is to say that there are many common conceptions of password security that have proven counter-productive. I’d like to have a closer look at four such conceptions.
Users Shouldn’t Be Allowed To Paste Their Passwords
Let’s start with a password bad-practice that I see everywhere. It’s deeply frustrating to land on a website that my password manager can’t interact with because the site’s developers have disabled paste functionality in the password input box.
Having a sensitive password sitting in a machine’s clipboard is not optimal, but blocking pasting discourages people from using secure passwords. No one is going to carefully type in their 20-character random password. They, or their password manager will paste it. If they can’t paste a secure password, they’ll just use one that’s easy-to-type (and guess).
Avoid Complex Composition Rules
This is somewhat controversial guidance:
Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets.
Why? Because users will choose the simplest password that fulfills the composition rules, and composition rules that produce truly secure passwords are hideously complex.
The guidance states that authentication systems should have mechanisms in place to reject commonly used passwords and should encourage the use of long passwords. But forcing people to stick to a specific composition pattern just invites them to game the system.
Don’t Force Password Changes
Passwords should be changed when there’s evidence of a security breach, but they shouldn’t be changed arbitrarily on a schedule. Forcing people to change their passwords regularly causes them to choose simple and easily remembered passwords to which they make small modifications for every change.
Either the passwords are compromised or they aren’t. Changing them when they aren’t is counter-productive.
Limiting Password Length
In 2017, no one should be imposing arbitrary limits on password length. And yet, I frequently come across sites that limit passwords to some absurdly small number of characters. If you’re hashing passwords, you always store the same length of string, so you can afford to be generous here. If you aren’t hashing passwords, you should be ashamed of yourself.
NIST advises that passwords of at least 64 characters are allowed, and that should include all ASCII characters, spaces, and Unicode characters.
If your service or application insists on any of these password bad practices, it’s time to rethink. In any case, the NIST Digital Identity Guidelines are essential reading for all developers, system administrators, and security professionals.
Latest posts by Chris Schwarz
- Four Common Password Practices You Might Want To Reconsider - September 20, 2017