Official Password Guidelines Validate What the Security Community Has Said For Ages
The U.S. National Institute of Standards and Technology, or NIST, is heavily involved in setting security standards and is a regular contributor to the field of cryptography. For instance, the NIST have published curves for use in ECC, and hosted the competition that led to the development of SHA-3.
Last month they published SP 800-63: Digital Identity Guidelines. While the name may put you to sleep, what was written inside electrified the security community.
The four-volume series of documents outlines how systems should handle account security, including passwords, two-factor authentication, and related policies. NIST publishes similar documents on all types of security topics with the goal of assisting engineers who need to implement these systems.
One of the topics it commented on was ‘password pasting,’ the practice of allowing users to paste their passwords into login forms. The NIST’s verdict? It’s Good.
Even though the security community have known for a long time that disabling pasting is a bad idea, it is still a commonly held belief that it somehow improves security:
Hello, a long password is a great way to protect your information! For security purposes we do not allow pasting of passwords.
— TurboTax Support (@TeamTurboTax) April 2, 2017
However there is just no evidence to back that up. One misconception is that it somehow stops brute-force attacks, however there are a number of better methods to defend against that (rate limiting), and attackers won’t be using a standard browser to break into your account anyways.
As the NIST’s new guidelines say, users should be able “to use ‘paste’ functionality when entering a [password]. This facilitates the use of password managers, which are widely used and in many cases increase the likelihood that users will choose stronger memorized secrets.”
I don’t know about you, but typing a secure password such as “?tgZ8t3Xwr” is almost as difficult as remembering it would be. Given the importance of using strong and unique passwords for every service, allowing pasting is essentially the only way you can ensure users can do that.
Earlier this year the National Cyber Security Centre (NCSC), the UK’s official authority on cyber security, also endorsed the use of paste.
The NIST’s new guidelines included a number of other best-practice recommendations for passwords including support for 64-character (or longer) passwords, and that periodic (e.g. “every X months”) password changes should not be used. They also say that systems should accept Unicode, all printable ASCII characters, and spaces,
Those working in the field of security have known these are best practices for quite some time. However, NIST included another guideline which is surprisingly progressive:
“[Systems] SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised.”
In the world of internet standards, SHALL written in uppercase letters has a special meaning. The IETF has formally defined different terms to be used in standards, and in this case shall means “required.”
One of the suggested sources for these “known compromised” passwords is from lists of “passwords obtained from previous breach corpuses.” This is a rather cutting-edge suggestion which would have the passwords of registered users compared to known databases of compromised account credentials.
This would be similar to the functionality offered by Have I Been Pwned?, a free service that lets you know if any of your accounts were compromised as part of known breaches.
Microsoft already uses this practice but it’s quite uncommon and perceived as creepy by some. So while the general public may not yet feel at ease with a website knowing their password was compromised elsewhere, we can all agree on this: Password pasting is Good.