The Criminal Justice Information Services (CJIS) is the largest division of the FBI. They’re a hub of state-of-the-art tools and services for law enforcement, national security community partners, and the general public.
The CJIS Security Policy is regularly updated to evolving industry best practices. Their June 2019 update introduced a new policy option for passwords. This option made it easier for both users and their IT departments – while at the same time increasing network security.
The is further evidence of a trend in the changing password security practices. The new CJIS Security Policy section “220.127.116.11.1.2 Advanced Password Standards” extends the password expiration period from 90 days to a full 356 days.
Research has shown that when users are asked to keep changing their passwords, they tend to create weaker passwords overall. They use slight variants and same root passwords or phrases. For example, the “Password” becomes “Password@1” then “Password@2” and so on. These patterns are well known and leveraged by bad actors. NIST, Microsoft and SANS now all advise against using an arbitrary password expiration date.
Other key requirements of this Advanced Password Standard also match industry best practices:
A. Increasing password length – with no additional complexity requirements imposed
CJIS requires passwords that are at least 20-characters. This is longer than an 8-character minimum in other standards, but not overly difficult when users understand the value of passphrases. And academic research has shown longer passwords are much harder for hackers to crack. The FBI has made longer passwords a consistent recommendation.
The requirement to NOT require additional complexity also lines up directly with guidance from both academic research and other industry standards. Arbitrary password composition rules – such as requiring a particular combination of symbols, numbers and letters – make passwords harder for users to remember yet follow predictable patterns that are easy for bad actors to guess.
B. Checking against a current blacklist of “banned passwords”
CJIS follows the NIST 800-63B language about “commonly-used, expected, or compromised” passwords verbatim. They refer to passwords obtained from previous breach corpuses, words from cracking dictionaries and context-specific words like username and company name and derivatives.
The concept of passwords that are context-sensitive requires a custom dictionary, and dynamically considers user-level information. And with new data breaches occurring so frequently, a blacklist of previous breaches needs to be able to be updated continually.
These requirements are the basis of a modern password policy – although not readily achievable with older style, rules-based password tools.
C. Detecting if passwords become compromised in the future
CJIS adds one caveat to the 365-day password expiration policy. They require organizations to force a password change if there is evidence of authenticator compromise. This recognizes the fact that a previously good password may be part of a new data breach at any time. This, rather than an arbitrary 90-day change, becomes the event that triggers a password reset. For this approach to work requires continuously auditing passwords against a database that is updated with the latest data breach.
The CJIS Security Policy is periodically updated to reflect evolving security requirements. This comes from guidance and directives from presidential and FBI directives, federal laws, and the criminal justice community’s Advisory Policy Board decisions, along with guidance from the National Institute of Standards and Technology (NIST). The Advanced Password Standard represents the current best practice guidance of the Criminal Justice Information Services.