Security Awareness Blog

NIST Has Spoken - Death to Complexity, Long Live the Passphrase!

Screen Shot 2017-07-27 at 12.00.49 PMNIST has spoken, and I could not be more excited. For years the security community has inflicted one of the most painful behaviors to date, the dreaded, complex password. I've watched many times in horror as security researchers made fun of ordinary computer users for using simple passwords, often calling out hacked databases of passwords and bemoaning what is wrong with the world. In reality, these very same people should have taken the time to look in the mirror and see what they were inflicting on others.

Strong passwords are so simple! All you need is 12 characters, one upper case character, one lower case character, one number, one simple and mix in the blood of a virgin. Then change it every ninety days. Oh, did we mention that you must have a unique, complex password for every account and never, never write it down. How could it be any simpler?

For years people like Per Thorsheim, Cormac Herley and Dr. Angela Sasse have fought against this. Finally these painful behaviors are being put to rest by NIST in their official publication SP800-63-3 Digital Identity Guidelines. While a rather large series of documents, they have a couple key points about passwords, specifically in sections, and Appendix A. Long story short.

This may not sound at first like a big deal, but this is huge. We are bringing common sense into the word. Instead of trying to focus on what is the academically PERFECT password, we are taking the human element into consideration. Far too often security fails because we forget people are involved. Security is far more than bits and bytes, and kudos to NIST for having the guts to say as much. You may not know it, but the UK National Cyber Security Center has been preaching the same since last August, 2016. Finally, if you are a customer of SANS Security Awareness, your content is already current with NIST guidelines, we have been promoting these key behaviors for over a year now. As we work with the SANS senior instructors and top security experts, with SANS you are getting the best content in the world.

UPDATE 8 Aug, 2017: Wall Street Journal published a fascinating article on the background behind the changes and just how bad password complexity is. Your leadership may not read NIST SP800 documents, but most likely do read WSJ.



Posted July 27, 2017 at 8:05 PM | Permalink | Reply

Charles Barest

Fabulous summary and great news!
I'm still reading through SP800-63-3 at the moment, but I *really* like what I see so far!

Posted July 29, 2017 at 6:16 PM | Permalink | Reply

Chris Hess

''Entropy is dead' is misleading. Length and size of the character set are both part of the same equation. What the guidance appears to assert is that length provides a more human-friendly and consistent way of achieving entropy goals than the size of a character set (of which humans only use a fraction of all available characters, creating a significant gulf between potential and realized variation). I agree with that assertion and welcome the change.
Entropy is still our best way to measure and compare authentication schemes in a quantitative way. Claiming its irrelevance (on a security awareness blog where readers may not be aware of the nuance) is going to make those conversations more difficult.

Posted July 29, 2017 at 11:17 PM | Permalink | Reply


Chris, very well thought on comment, thank you so much! The reason I titled this as such is due to the specific statement NIST makes in Appendix A of SP800-63-3b. Specifically the following.
"Complexity of user-chosen passwords has often been characterized using the information theory concept of entropy [Shannon]. While entropy can be readily calculated for data having deterministic distribution functions, estimating the entropy for user-chosen passwords is difficult and past efforts to do so have not been particularly accurate. For this reason, a different and somewhat simpler approach, based primarily on password length, is presented herein."
I think we may both be right. What appears NIST is saying is stop debating entropy, as we have hit the point of diminishing returns. Instead, focus on passphrases, as that is "good enough" when it comes to entropy.