Should you follow the latest recommendations from NIST?

When the National Institute of Standards and Technology (NIST) released an update to the Digital Identity Guidelines earlier this year, people paid attention. One of the recommendations that looks good on paper, is removing periodic password expirations. Whether or not an organization can implement this guidance is dependent on other security practices in place, including the use of multi-factor authentication.

We have become accustomed to the ongoing headline takeovers of mega breaches. Users are accumulating more and more passwords, and many of the recent breaches are the direct result of their compromise. The Verizon 2017 Data Breach Investigations Report found that 81% of hacking-related breaches leveraged stolen and/or weak passwords. More often than not, the recommended best practice is to change your password. Still, people cannot bother with memorizing a completely new password. They settle with adding a numerical sequence, exclamation mark, or the year to their existing password. In response, industry experts claim usability balanced with security. This means scrutinizing conventional security measures, believed to encourage poor user behavior.

In the usability vs. security crossfire, we find mandatory password changes, and for good reason. There is enough scientific evidence to suggest minimal return at a high cost to the end-user. When forced to set a new password, users conform to predictable patterns – character substitutions, leetspeak, incrementing numbers, and other common habits that do not stand a chance against hackers. Users also have a tendency to forget new passwords. Some resort to writing them down, others forget them altogether, putting a strain on the helpdesk with reset requests. With NIST’s Digital Identity Guidelines promoting the removal of password expirations, it is a tempting option for IT managers looking to improve password security.

On the other hand, expirations and periodic changes prevent indefinite access via compromised credentials. Hackers are persistent, not interested in gathering data in a day. They linger undetected for months, striking only when they can do serious damage. Regular password changes can limit this type of attack. There are also compliance considerations, such as the PCI DSS requirement to expire passwords every 90 days.

Here is where it gets tricky. As credentials exposed in one breach can open the door to other systems, the same experts, including NIST, suggest comparing prospective passwords against a list of common/compromised passwords. These password are compiled in a password dictionary, and blocked for future use. It is a bit of a catch-22. To proactively check against a password dictionary, and prevent the creation of vulnerable passwords, you do so when the password is changed. Therefore, if using a password dictionary to strengthen security, you need to make sure the password change is frequent enough to take into account the latest lists. Whether that means periodic password expirations, or manually forcing changes as new dictionaries are added, it is a decision you will have to consider.

The validity of password expirations comes down to the authentication system. Tech giants like Google, Microsoft, and Apple all have multi-factor authentication options available to users. Enterprise organizations are following the trend with only 38% stating that they do not use multi-factor authentication, according to a recent KnowBe4 survey of 2,600 IT professionals. In contrast, 62% of small to mid-sized organizations do not use multi-factor authentication. If you find your organization in the latter statistic, it is probably not a good idea to throw out password expirations without stronger authentication options, like multi-factor authentication in place. If that is not on the table for the immediate future, you are better off exploring other options.

Start with a password audit. You can do this internally (with approval of course), or through an ethical hacking company. If you decide to go the DIY route, there are tons of few free online tools at your disposal. These tools typically allow you to check the NTLM hash of passwords, stored in the Active Directory database, against the same lists available to hackers. If you want to take a more proactive approach, consider a password policy solution that enables dictionaries out-of-the-box.

Another free resource is the auditor tool by Specops Software. The tool scans your Active Directory for weak password policies and displays interactive reports containing password related information, such as policy usage, expirations, and relative strength. For each password policy, you can drill down and see how the settings compare to various industry standards, including NIST, PCI, and SANS. The tool also identifies other security vulnerabilities that may have slipped through the cracks, such as stale administrative accounts, or accounts that do not require passwords, as shown in the screenshot below. An added benefit is that the tool does not send any information outside of your environment.

With so many conflicting opinions, best practices, and regulatory guidelines floating around, it is easy to get lost along the way. Remember that one size does not fit all. If you are considering password expirations, make sure you have the right tools in place. Keep in mind the different roles in your organization. Periodic password changes may not be necessary for low privileged users, but you may want it for your administrator accounts. If you are not there yet, consider a password policy solution with dictionary settings. It is quite effective in preventing users from creating passwords that are susceptible to dictionary attacks.