Security Awareness Blog

NIST Has Spoken - Death to Complexity, Long Live the Passphrase!

Screen Shot 2017-07-27 at 12.00.49 PMNIST has spoken, and we could not be more excited. For years the security community has inflicted one of the most painful behaviors to date, the dreaded complex password. We have watched many times in horror as security researchers made fun of ordinary computer users for using simple passwords, often calling out hacked databases of passwords and bemoaning what is wrong with the world. In reality, these very same people should have taken the time to look in the mirror and see what they were inflicting on others.

Strong passwords are so simple! All you need is 12 characters, one upper case character, one lower case character, one number, one symbol and nothing known about you. Then change all your passwords every ninety days. Oh, did we mention that you must have a unique, complex password for every account and never, never write it down. How could it be any simpler?

For years people and organizations like Per Thorsheim and his Passwords Con, Dr. Cormac Herley, Dr. Angela Sasse and the UK National Cyber Security Center have fought against this. Finally these painful behaviors have been put to rest by NIST in their official publication SP800-63-3 Digital Identity Guidelines. While a rather large series of documents, they cover passwords in sections, and Appendix A. Long story short, NIST states.

This may not sound at first like a big deal, but these changes are huge. We are bringing common sense into the word. Instead of trying to focus on what is the academically PERFECT password, we are taking the human element into consideration. Far too often security fails because we forget people are involved. Complex passwords are not only confusing to remember, but time consuming and painful to manually type in. In fact, Wall Street Journal published a fascinating article on the background behind NIST's original thinking and how the original authors now feel just how bad password complexity is. It is even more painful when you require people to change these complex passwords regularly. The biggest resistors to these changes will most likely be the highly technical security community who repeatedly forget that people are a part of any organization's security and specific regulations or standards that still require password complexity and/or regular changing of passwords such as NERC CIP-007-6 R5.

Finally, if you are a customer of SANS Security Awareness, your content is already current with NIST guidelines, we have been promoting these key behaviors for over a year now. As we work with the SANS senior instructors and top security experts, with SANS you are getting the best content in the world.



Posted July 27, 2017 at 8:05 PM | Permalink | Reply

Charles Barest

Fabulous summary and great news!
I'm still reading through SP800-63-3 at the moment, but I *really* like what I see so far!

Posted July 29, 2017 at 6:16 PM | Permalink | Reply

Chris Hess

''Entropy is dead' is misleading. Length and size of the character set are both part of the same equation. What the guidance appears to assert is that length provides a more human-friendly and consistent way of achieving entropy goals than the size of a character set (of which humans only use a fraction of all available characters, creating a significant gulf between potential and realized variation). I agree with that assertion and welcome the change.
Entropy is still our best way to measure and compare authentication schemes in a quantitative way. Claiming its irrelevance (on a security awareness blog where readers may not be aware of the nuance) is going to make those conversations more difficult.

Posted July 29, 2017 at 11:17 PM | Permalink | Reply


Chris, very well thought on comment, thank you so much! The reason I titled this as such is due to the specific statement NIST makes in Appendix A of SP800-63-3b. Specifically the following.
"Complexity of user-chosen passwords has often been characterized using the information theory concept of entropy [Shannon]. While entropy can be readily calculated for data having deterministic distribution functions, estimating the entropy for user-chosen passwords is difficult and past efforts to do so have not been particularly accurate. For this reason, a different and somewhat simpler approach, based primarily on password length, is presented herein."
I think we may both be right. What appears NIST is saying is stop debating entropy, as we have hit the point of diminishing returns. Instead, focus on passphrases, as that is "good enough" when it comes to entropy.