The National Institute of Standards and Technology (NIST) is the US government agency that sets technical standards for everything from the length of a meter to the shape of an electric outlet. They also set computer security standards for federal agencies, which often become de facto standards for business as well.
Special Publication 800-63, a user authentication framework, has been particularly influential. For instance, the US financial services authentication standard X9.117 is largely based on NIST’s framework.
NIST is drafting a new revision which will be called SP 800-63-3. They’ve taken the unprecedented step of seeking public comments on a GitHub repository. A careful reading shows a couple big surprises:
1. Short, Simple Passwords Are Good Enough
Tucked away in Part B Appendix A of the new draft, NIST makes a case for short, simple, non-expiring passwords. Their argument for short passwords is essentially that online guessing attacks should be stopped by throttling (e.g., “three strikes you’re out”) not by length, and offline password cracking attacks aren’t mitigated by length either, since all passwords have the same hash size (not strictly true, by the way). Their case for simple passwords – just letters or numbers – boils down to an argument that making passwords hard to remember does more harm than good, presumably because people write them down, reuse them across sites, or choose them in predictable ways.
NIST eats their own dog food. In their draft rules for passwords and PINs, they now allow them to be as short as 6 characters. They go on to say password systems should not “impose other composition rules (mixtures of different character types, for example)” and should not require passwords “to be changed arbitrarily (e.g., periodically) unless there is evidence of compromise.” [SP 800-63-3B 126.96.36.199]
This is a bold move. Long, complex passwords have been information security orthodoxy since the 1960s, with a trend toward ever longer passwords and more character sets. This is enshrined in the Common Book of Knowledge, the canon CISSP-certified professionals are expected to learn and live by. NIST, generally known as a conservative arbiter of security, is the last organization one might expect to commit such a heresy.
I’m sure NIST didn’t do it lightly. Many security professionals have privately grumbled that the trend toward longer, more complex passwords do more harm than good. NIST just came out and said what some of us were already thinking. Although their arguments aren’t airtight (for example, they didn’t consider the effect of password length on “shoulder surfing” attacks, nor is it true that hash cracking time is unaffected by password length) I applaud NIST for taking a bold stand, although I recommend they beef up their defense of short simple passwords with a formal threat model. Taproot Security has filed a comment on the NIST GitHub.
2. Two-Step Verification via Text Messages Must End
Another interesting statement tucked away in Part B of the NIST draft: “OOB using SMS is deprecated, and will no longer be allowed in future releases of this guidance.” [SP 800-63-3B 188.8.131.52] OOB stands for Out Of Band, referring to logins that add an extra step to verify identity through another channel (typically user’s mobile phone). SMS stands for Short Message Service, i.e. text messages.
Here again, NIST is bucking industry trends. Hundreds of web sites now offer 2-step verification via text messages, including Google, Microsoft, Apple, Yahoo, Dropbox, and most online banks and brokerages. When you sign on with username and password, the site texts a random code to your phone. You type the code into the web site and proceed.
By saying OOB using SMS is deprecated, NIST is telling web providers they should start phasing it out now, and no new usage should be deployed. They don’t state their reasons in the draft (hopefully they will in the final published version) but it’s not hard to guess. SMS text messaging is widely acknowledged to be an insecure protocol, lacking meaningful encryption or authentication. VOIP-based virtual phone services such as Google Voice may further erode SMS security. (If the service is hacked, text messages could be intercepted.) These weaknesses make SMS a poor authentication channel.
The problem is NIST’s bad timing. After waves of web site breaches, including recent MySpace and LinkedIn password dumps, many web site operators did the right thing and embraced 2-factor authentication. This typically means a 2-step verification scheme including text message codes. Although other delivery mechanisms exist (e.g., smartphone app) SMS remains the simplest and most usable. Flawed though it is, adding SMS OOB to a web logon significantly raises the bar against attackers. For now, the benefits outweigh the risks.
Sites should be encouraged to offer a variety of 2-step verification options to users, for now including text messaging. A few years from now, when 2-factor authentication is the norm not the exception, and good OOB alternatives to SMS are widely available (including to users without smartphones), that is when NIST should move to deprecate. Taproot Security has filed this comment on the NIST GitHub.
UPDATE 6/18/16: NIST responded to both comments. Citing recent SMS attacks on FTC and Black Lives Matter, NIST rejected our suggestion to postpone OOB SMS deprecation. They did agree to allow the practice to continue for "a few years". As for short easy passwords, that comment was "partially accepted" and it appears NIST is working to improve their rationale for such passwords in an upcoming iteration of SP 800-63-3B.
UPDATE 1/31/17: NIST published a new draft of the guidance, retitled "Digital Identity Guidelines". They softened their position on SMS OTP, which now says it "is discouraged and is being considered for removal in future editions of this guideline." The guidance for short, simple passwords remains unchanged for now.
UPDATE 6/22/17: NIST published the final guidance.
Michael McCormick is in information security consultant, researcher, and founder of Taproot Security.