NIST: Longer passwords beat complicated ones

Monday will be the last day the public can comment the proposed rules from the National Institute of Standards and Technology that would simplify the password standards that government agencies must use and that private sector companies are encouraged to follow.

The proposal would eradicate password complexity rules, such as requirements that passwords contain an uppercase letter, a lowercase letter, a number and a symbol. NIST said in the proposal that user behavior often causes these complexity rules to backfire, so companies should simplify their password rules and focus on password length rather than composition.

For banks and credit unions, simplified password rules would reduce frequency in online and mobile banking while improving security. The recommendations from NIST give a green light of sorts to any institutions hoping to implement similar changes to their password requirements.

Instead of password complexity rules, NIST suggests companies check passwords against a block list, which would include passwords leaked in breaches and single-word passwords that are easy to guess (such as “password” or service name).

Complicated password requirements often create a maze that frustrates users trying to create strong passwords. These rules inspired online forums for the public shaming of companies that enforce such rules and a popular online game which takes players on a journey to create a password with increasingly absurd requirements.

Often, these complicated rules returnaccording to NIST.

“Highly complex passwords introduce a new potential vulnerability: They are less likely to be memorable and more likely to be written down or stored electronically in an insecure manner,” the agency said in the proposed rules. “While these practices are not necessarily vulnerable, some methods of recording such secrets will be.”

More importantly, however, research cited by the agency indicates that users respond in predictable ways when faced with password complexity requirements. That means “the most common password creation policies remain vulnerable to online attacks,” according to a 2009 paper by a team led by Matt Weir, a researcher at Florida State University.

“This is because a subset of users choose easy-to-guess passwords that still comply with the password creation policy in place, for example ‘Password!1,'” the paper said.

While less complex passwords would still be vulnerable to these predictable behaviors, the NIST proposal requires agencies to provide users with guidance on choosing a stronger password if the one they submit is found on a blacklist. This, the agency says, discourages trivial changes to weak passwords.

While password complexity rules have the theoretical advantages of requiring users to use unique passwords that are harder to crack, they often push users to use predictable variations of the same password they use everywhere. That’s according a blog post from Enzoic, a cybersecurity company specializing in compromised password filtering and account takeover protection, about the proposed rules.

“This doesn’t necessarily mean that all password complexity rules should be removed, but we need to reconsider what makes a password complex while also considering its usefulness,” Enzoic said in the post. “That’s why NIST’s password guidelines and many other organizations eliminate the requirement for special characters in passwords.”

Frustratingly for users, companies and agencies often thwart their attempts to create memorable passwords – such as sentences or phrases – by banning certain characters from their passwords, such as spaces.

Companies often ban these characters in passwords as a means of countering SQL injection attackswhere an attacker modifies or deletes a database by entering commands through online forms. However, these attacks only work if the company’s password system is severely flawed—that is, if the company fails to send the password before it reaches the database.

Hashing a password turns it into plaintext that cannot be used in injection attacks. It is a one-way function that converts passwords to a fixed-length string. Submitting the same password always gives the same result, which is how businesses should authenticate passwords. However, taking a hash and trying to return it to the password is designed to be impossible.

Instead of enforcing rules on password composition, companies should focus on password length as the “primary factor in characterizing password strength,” according to NIST’s proposed guidelines.

Notably, the proposed rules also encourage companies to increase the maximum number of characters a user can use in their password to at least 64 or even more for better results.

“Users should be encouraged to make their passwords as long as they wish, within reasonable limits,” the proposed rules state.

The only limiting factor on how long a password should be is the time it takes to hash it. This time increases for “extremely long passwords (perhaps megabytes long),” according to NIST’s proposed rule. A password this long would contain millions of characters, making it longer than the book Moby-Dick.