The new password guidelines from NIST introduce welcome changes to many security professionals. NIST updated recommended security practices in light of current research and knowledge of how password attack methods have evolved.
As suggested in Special Publication 800-63B, passwords should be screened against commonly-used, expected, or compromised passwords. This is intended to ensure passwords are not found in common cracking dictionaries that would make them easy to guess.
These checks can occur at account creation and password reset. But then what? How do you know if they are still safe after time?
The same NIST guidelines are explicit that organizations should not require passwords to be changed arbitrarily (e.g., periodically) and should only require a change if there is evidence of compromise of the authenticator.
So if the password isn’t supposed to be reset periodically, how do we know after some time if the password is not compromised?
One option would be not to force a reset but to recheck the password periodically.
This would need to be performed at login, because at all other times the password should be stored in a salted one-way hash. While periodically checking the password at login is a viable option and would indeed better maintain the integrity of the password against brute-force attacks, it’s important to weigh user frustration against risk of attack.
Another approach to consider would be to instead check the full username and password combination at every login.
If the exact username and password combination were found on a list of compromised credentials, this would suggest two possibilities. Either the authenticator has been unknowingly compromised, or the user has reused the credentials on another site and that 3rd party site has been compromised.
The evidence suggests the second option is more likely. One study on password reuse suggests it occurs 43- 51% of the time. NIST guidelines make it clear that passwords should not be re-used, there is no practical way to detect or enforce this policy.
Discovering compromised username and password combinations is critical because it is basically evidence that the password layer is entirely vulnerable and the account is at substantial risk of being hijacked.
There are many new authentication security measures that look at heuristics for rules to detect account risk or adaptive authentication methods that use artificial intelligence to indicate a probabilistic risk score. There will always be some amount of false positives and some amount of false negative results.
By contrast, the detection of compromised credentials is a deterministic protection model. There are no false positives. If user credentials are compromised, there is an exposed vulnerability that needs to be resolved. Screening for compromised credentials is an essential layer to MFA, heuristics and authentication.