hansjorg keller tHmk580VDJI unsplash

Complying with NIST Password Guidelines in 2021

| | , ,

In the beginning, passwords lived in simple times. It was the 60’s when we first saw them used to authenticate to computer systems and it was a time where physical presence was required. Nobody was remote, nobody was dialling in and there was certainly nobody connecting over the web. You walked into a room full of computers (they were quite literally the size of a room back then), and you used your specialised knowledge of how to operate a highly complex machine that very few other people understood to authenticate using the password you stored in your head.

It took another couple of decades before computers were used by the masses, a time that also heralded the beginning of authentication to remote machines. Now we had large numbers of people using systems from all over and the world and the old password logic of using your dog’s name everywhere (or something similar) was no longer sound. So we created password complexity criteria with the logic being that more characters of more types would create stronger passwords. And, just to be doubly certain a compromised password would have limited usefulness, we demanded people change them on a regular cadence.

Thus began the era of “P@ssw0rd1”, “P@ssw0rd2” and so on and so forth as humans sought out the path of least resistance around the security barriers that were put in their way.

NIST’s password guidelines recognise human fallibility and provide practical advice on how to help users secure their accounts in the modern era. The landscape has changed since the 60’s, and so must our approach to passwords. – Troy Hunt

Security is seen as a necessary evil so changes to any policy in this area are often regarded as tedious to adopt by users. However, the overall benefits to the user and the organization implementing them will make it worthwhile. Further down in this article there will be some useful steps to ensure that it’s taken as positively as possible by your users.

There are several reasons that you might want (or need to) comply to the latest password guidelines from NIST and here are some of the most common ones:

  • To comply to an industry-specific requirement (HIPAA, NIST Cybersecurity Framework, PCI-DSS, GDPR, etc).
  • Reduce user frustration by significantly increasing the length of password rotation (or removing this altogether).
  • Reduce the number of helpdesk calls due to users forgetting their passwords (largely due to the point above).
  • Protect against credential stuffing and password spraying attacks, the main vector of initial intrusion, as seen in the latest breaches.
  • Bolster your organization’s overall resilience to security threats from the weakest link in security today (user passwords).

What are the new NIST Password Guidelines Requirements?

In a nutshell, we are aiming at protecting digital information assets from being broken into by means of a predictable, compromised or pwned password. Since we’re not trying to protect against an offline brute-force with infinite resources, we need to be pragmatic in our advice to users and recognise what has and has not worked with past advice.

The new guidelines dictate the following:

  • Password length is overestimated, 8 character minimum is fine (and at least 64 characters as an upper limit).
  • Password complexity is more of a hindrance, it should be allowed but not enforced.
  • Password must not be a common word, as found in a typical wordlist or dictionary.
  • Password must be checked against a corpus of breached or pwned passwords.
  • Password rotation should not be enforced. Users should change their password if they are compromised (or suspected to have been compromised).
  • Implement a sensible limit for the number of online password attempts.

Let’s discuss each of these points in more detail.

Password Length

In the past, much of the focus has been on asking users to create long and ‘complex’ passwords but it turns out that this advice confuses users and doesn’t have the desired effect. Particularly when the security objective is to prevent online attacks, namely credential stuffing and password spraying attacks. These have grown exponentially in recent years and are one of the principal methods used by attackers to compromise organisations large and small. A sensible length of 8 characters is sufficient (together with the other requirements of course, not in isolation).

Password Uniqueness

Because we’re trying to prevent an attacker from guessing a user’s password in a few online attempts, it’s important to empower the user to select a password that is unique, doesn’t belong in a common wordlist and isn’t predictable (ie. based on a user’s attribute that will be easy for an attacker to guess). Furthermore, because of the myriad of recent password breaches, it is of paramount importance to check the password against a corpus of breached or pwned passwords, with the Have I Been Pwned service run by Troy Hunt as being the most comprehensive and most available.

There are some further details on what constitutes a predictable password and the following should not be allowed:

  • Use of sequential characters and repetitive characters (such as ‘abcdefgh’, or ‘aaa’, ‘bbb’, etc.).
  • Use of context-specific words (such as place of birth, company or role).
  • Commonly used words as found in a typical dictionary.
  • Commonly used passwords, such as ‘Password123’.
  • Previously breached passwords, such as the ones found in Have I Been Pwned.

Password Rotation

Previous password policy would advice users to change passwords regularly, such as on a monthly or quarterly basis. This has often backfired, with users changing the passwords ever so slightly, often in a predictable manner by adding and/or incrementing a digit at the end. This change to the password policy is particularly welcome. Users will be happy to invest the small extra time to choose a unique, secure password in return for not having to change it for the foreseeable future.

Rate Limiting

Since the primary focus is to prevent online attacks against a user account, it’s important to implement methods to reduce the number of password guesses (brute-force attack) against an internet-based service, such as Outlook Web Access (or within the corporate network). NIST recommends limiting the number of online password attempts to 100, implementing an incremental rate-limiting strategy, and CAPTCHA forms to weed out automated attempts from bots (although automation can also solve CAPTCHAS so it should not be relied upon as a bulletproof solution).

How to Implement the new NIST Password Guidelines in Active Directory

You can easily implement the new NIST Password Guidelines on a Windows Active Directory network by following these easy steps:

  • Enforce minimum password length, disable complexity and remove password expiry (password rotation).
  • Block weak and compromised passwords.
  • Enable lockouts after 100 attempts.
  • Last but not least, communicate the changes to your users.

Change Minimum Length, Complexity Settings and Password Expiry

NIST recommends setting an 8 character length and disabling any other complexity requirement.

  1. Open the group policy management console (start -> run -> gpmc.msc).
  2. Go to Domains, your domain, then group policy objects.

NIST Password Guidelines Active Directory

3. Right click on the default domain policy and click edit.

4. Now navigate to Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy and change the settings to suit your specific requirements but as a minimum set 8 character passwords and you can disable complexity (Users will still be able to create passwords with symbols etc, it just will not be enforced as its no longer required).

Screen Shot 2021 03 02 at 10.42.55

Block common passwords and compromised or pwned passwords

NIST recommends checking passwords against a corpus of breached or pwned passwords and a list of common words/passwords.

There is no mechanism to do this natively in Windows or Active Directory so we need to rely on a custom password filter or a password policy enforcer. With safepass.me, you can download and install the MSI and be protecting all your Active Directory users in just a few minutes:

Want to know more?

Get a personal tour of safepass.me, detailed pricing and all the info you need to decide if safepass.me is right for you.

All we need are your name, email address, and if you have it, the number of live AD user Objects you'd like to protect. Run this powershell command to find out how many objects you have:

(get-aduser -filter *|where {$_.enabled -eq “True”}).count

Limit number of passwords attempts

NIST recommends limiting the number of failed attempts to 100, as follows:

  1. Open the group policy management console (start -> run -> gpmc.msc)
  2. Go to Domains, your domain, then group policy objects

NIST Password Guidelines Active Directory

3. Right click on the default domain policy and click edit

4. Now navigate to Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Account Lockout Policy

Screenshot 2021 03 10 at 10.44.16

Communicate the new password policy changes to your users

Here at safepass.me we’ve been working with clients all over the world, helping them quickly adopt the new NIST password guidelines. A critical success factor in ensuring the new policy is well accepted by end users is to communicate in a simple and effective manner those changes, highlighting the overall benefits from a user perspective. We’ve put together a sequence of emails that inform the users of changes, following these steps:

  • Inform the users of when the new password policy will be taking place.
  • Highlight the benefits to the user: they will no longer be required to change their password as frequently (or at all).
  • Reassure users that the policy will actually be simplified, no longer requiring overly convoluted requirements when it comes to the use of special characters.
  • Emphasize picking a unique password rather than a complex one.

To get access to the 7 Step Email Sequence, please get in touch and we’ll be delighted to send it to you. If there is enough interest, we’ll make it available as a downloadable .zip file.

How to Block Passwords Effectively in Windows Active Directory

In a follow-up blog post, we’ll explore various ways to block and blacklist passwords in Active Directory using different available methods. The easiest and quickest way is to use an Enterprise Password Policy Enforcement tool such as safepass.me. With both pwncheck and safepass.me you can eradicate and prevent weak password use and comply to the latest NIST Password Guidelines in minutes and very cost-effectively, saving you a lot of time and effort.

Join our low volume mailing list below to get notified of our next post.

Get the best Active Directory security news, tips and tweaks every Monday.