NIST in new password management policy

Published 28 April 2009

NIST offers, and opens for public comment, new password policy for government and private organizations

Passwords probably are the most commonly used method of authentication for access to information technology resources, but despite their apparent simplicity, they can be difficult to manage. Long, complex passwords are more secure than simpler ones, but they also are more difficult for the user to remember, leading to the increased possibility they will be improperly stored.

GCN’s William Jackson writes that to help government agencies — but, we should think, also private organizations — select and implement proper controls, the National Institute of Standards and Technology (NIST) has released a draft version of Special Publication 800-118, titled “Guide to Enterprise Password Management,” for public comment. Comments should be e-mailed by 29 May to, with “Comments SP 800-118” typed in the subject line.

Password management, as defined by NIST, is “the process of defining, implementing and maintaining password policies throughout an enterprise.” Because passwords are used to control access to and protect sensitive resources, organizations need to protect the confidentiality, integrity, and availability of passwords themselves. The goal is to ensure that all authorized users get the access they need, while no unauthorized users get access.

Integrity and availability should be ensured by typical data security controls, such as using access-control lists to prevent attackers from overwriting passwords and having secured backups of password files,” NIST states. “Ensuring the confidentiality of passwords is considerably more challenging and involves a number of security controls along with decisions involving the characteristics of the passwords themselves.”

Threats to confidentiality of passwords include capturing, guessing, or cracking them through analysis. Password guessing and cracking become more difficult as the complexity of the password grows. The number of possibilities for a given password increases with the length of the password and the possible number of choices for each character. The possible choices for each character of a numerical password are 10 (0 through 9). Possible choices for passwords using letters are 26 for each character. By combing upper and lower case letters, numerals and special characters, there can be as many as 95 possibilities for each character.

A four-digit numerical personal identification number has keyspace of 10,000; that is, there are 10,000 possible combinations. An eight-character password using 95 possibilities for each character has a keyspace of 7 quadrillion. Increasing the length of the password increases the keyspace more quickly than increasing the number of possibilities for each character, NIST states.

One method of password management is to use a single sign-on (SSO) tool, which automates password authentication for the user by controlling access to a set of passwords through a single password. This can make it more feasible for a user to use and remember a single, complex password.

NIST says, however, that “in nearly every environment, it is not feasible to have an SSO solution that handles authentication for every system and resource — most SSO solutions can only handle authentication for some systems and resources, which is called reduced sign-on,” NIST states.

NIST recommends protecting the confidentiality of passwords:

  • Create a password policy that specifies all of the organization’s password management-related requirements, including Federal Information Security Management Act and other regulatory requirements. “An organization’s password policy should be flexible enough to accommodate the differing password capabilities provided by various operating systems and applications.”
  • Protect passwords from attacks that capture passwords. “Users should be made aware of threats against their knowledge and behavior, such as phishing attacks, keystroke loggers, and shoulder surfing, and how they should respond when they suspect an attack may be occurring. Organizations also need to ensure that they verify the identity of users who are attempting to recover a forgotten password or reset a password, so that a password is not inadvertently provided to an attacker.”
  • Configure password mechanisms to reduce the likelihood of successful password guessing and cracking. “Password guessing attacks can be mitigated rather easily by ensuring that passwords are sufficiently complex and by limiting the frequency of authentication attempts, such as having a brief delay after each failed authentication attempt or locking out an account after many consecutive failed attempts. Password-cracking attacks can be mitigated by using strong passwords, choosing strong cryptographic algorithms and implementations for password hashing, and protecting the confidentiality of password hashes. Changing passwords periodically also slightly reduces the risk posed by cracking.”
  • Determine requirements for password expiration based on balancing security needs and usability. Regularly changing passwords “is beneficial in some cases but ineffective in others, such as when the attacker can compromise the new password through the same keylogger that was used to capture the old password. Password expiration is also a source of frustration to users, who are often required to create and remember new passwords every few months for dozens of accounts, and thus tend to choose weak passwords and use the same few passwords for many accounts.”