NIST Officially Recommends Password Pasting
Official Password Guidelines Validate What the Security Community Has Said For Ages
The U.S. National Institute of Standards and Technology, or NIST, is heavily involved in setting security standards and is a regular contributor to the field of cryptography. For instance, the NIST have published curves for use in ECC, and hosted the competition that led to the development of SHA-3.
Last month they published SP 800-63: Digital Identity Guidelines. While the name may put you to sleep, what was written inside electrified the security community.
The four-volume series of documents outlines how systems should handle account security, including passwords, two-factor authentication, and related policies. NIST publishes similar documents on all types of security topics with the goal of assisting engineers who need to implement these systems.
One of the topics it commented on was ‘password pasting,’ the practice of allowing users to paste their passwords into login forms. The NIST’s verdict? It’s Good.
Even though the security community have known for a long time that disabling pasting is a bad idea, it is still a commonly held belief that it somehow improves security:
Hello, a long password is a great way to protect your information! For security purposes we do not allow pasting of passwords.
— TurboTax Support (@TeamTurboTax) April 2, 2017
//platform.twitter.com/widgets.js
However there is just no evidence to back that up. One misconception is that it somehow stops brute-force attacks, however there are a number of better methods to defend against that (rate limiting), and attackers won’t be using a standard browser to break into your account anyways.
As the NIST’s new guidelines say, users should be able “to use ‘paste’ functionality when entering a [password]. This facilitates the use of password managers, which are widely used and in many cases increase the likelihood that users will choose stronger memorized secrets.”
I don’t know about you, but typing a secure password such as “?tgZ8t3Xwr” is almost as difficult as remembering it would be. Given the importance of using strong and unique passwords for every service, allowing pasting is essentially the only way you can ensure users can do that.
Earlier this year the National Cyber Security Centre (NCSC), the UK’s official authority on cyber security, also endorsed the use of paste.
The NIST’s new guidelines included a number of other best-practice recommendations for passwords including support for 64-character (or longer) passwords, and that periodic (e.g. “every X months”) password changes should not be used. They also say that systems should accept Unicode, all printable ASCII characters, and spaces,
Those working in the field of security have known these are best practices for quite some time. However, NIST included another guideline which is surprisingly progressive:
“[Systems] SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised.”
In the world of internet standards, SHALL written in uppercase letters has a special meaning. The IETF has formally defined different terms to be used in standards, and in this case shall means “required.”
One of the suggested sources for these “known compromised” passwords is from lists of “passwords obtained from previous breach corpuses.” This is a rather cutting-edge suggestion which would have the passwords of registered users compared to known databases of compromised account credentials.
This would be similar to the functionality offered by Have I Been Pwned?, a free service that lets you know if any of your accounts were compromised as part of known breaches.
Microsoft already uses this practice but it’s quite uncommon and perceived as creepy by some. So while the general public may not yet feel at ease with a website knowing their password was compromised elsewhere, we can all agree on this: Password pasting is Good.
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018
in Hashing Out Cyber SecurityHow to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chrome
in Everything EncryptionRe-Hashed: How to Fix SSL Connection Errors on Android Phones
in Everything EncryptionCloud Security: 5 Serious Emerging Cloud Computing Threats to Avoid
in ssl certificatesThis is what happens when your SSL certificate expires
in Everything EncryptionRe-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Message
in Hashing Out Cyber SecurityReport it Right: AMCA got hacked – Not Quest and LabCorp
in Hashing Out Cyber SecurityRe-Hashed: How to clear HSTS settings in Chrome and Firefox
in Everything EncryptionRe-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithms
in Everything EncryptionThe Difference Between Root Certificates and Intermediate Certificates
in Everything EncryptionThe difference between Encryption, Hashing and Salting
in Everything EncryptionRe-Hashed: How To Disable Firefox Insecure Password Warnings
in Hashing Out Cyber SecurityCipher Suites: Ciphers, Algorithms and Negotiating Security Settings
in Everything EncryptionThe Ultimate Hacker Movies List for December 2020
in Hashing Out Cyber Security Monthly DigestAnatomy of a Scam: Work from home for Amazon
in Hashing Out Cyber SecurityThe Top 9 Cyber Security Threats That Will Ruin Your Day
in Hashing Out Cyber SecurityHow strong is 256-bit Encryption?
in Everything EncryptionRe-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3
in Everything EncryptionHow to View SSL Certificate Details in Chrome 56
in Industry LowdownA Call To Let’s Encrypt: Stop Issuing “PayPal” Certificates
in Industry Lowdown