Skip to main content

Back to Blog

Looking Closer at NIST Password Guidelines for Checking Compromised Passwords

The new password guidelines from the National Institute of Standards and Technology (NIST) introduce welcome changes to many cybersecurity professionals. NIST Digital Identity Guidelines updated recommended security practices in light of current research and knowledge of how password attack methods have evolved.

As suggested in NIST Special Publication 800-63B, passwords should be screened against common passwords, expected or compromised ones. This is intended to ensure passwords are not found in common cracking dictionaries that would make them easy to guess.

These checks can occur at account creation, password creation, and password reset. But then what? How do you know if they are still safe after time, and what are the password recommendations?

The same NIST password guidelines are explicit that organizations should not require frequent password changes arbitrarily (e.g., periodically) and should only require a change if there is evidence of compromise of the authenticator or if it doesn’t meet the current password requirements.

So if the password isn’t supposed to be reset periodically, how do we know after some time if the password is not compromised?

One option would be not to force a reset but to recheck the password periodically in real time.

Implement this check at login because, at all other times, the password should be stored in a salted one-way hash ensuring password security. While periodically checking the password at login is a viable option and would indeed better maintain the integrity of the password against brute-force attacks, it’s important to weigh user frustration and functionality against the security risk of attack.

Another approach to consider would be to instead check the full username and password combination at every login, incorporating this process as part of a comprehensive risk management strategy.

If the exact username and password combination were found on a list of compromised credentials database, this would suggest two possibilities. Either the authenticator has been unknowingly compromised, or the user has reused the credentials on another site and that 3rd party site has been compromised by hackers.

The evidence suggests the second option is more likely. One study on password reuse suggests it occurs 43- 51% of the time. NIST password guidelines make it clear that passwords should not be re-used, there is no practical way to detect or enforce this password policy.

Discovering compromised username and password combinations is critical because it is basically evidence that the password layer is entirely vulnerable and the account is at substantial risk of being hijacked, leading to potential data breaches by cybercriminals.

There are many new authentication security measures that look at heuristics for rules to detect user account risk or adaptive authentication methods that use artificial intelligence to indicate a probabilistic risk score, aiming to mitigate potential cyberattacks. There will always be some amount of false positives and some amount of false negative results.

By contrast, the detection of breached credentials is a deterministic protection model. There are no false positives. If user credentials are compromised, there is an exposed vulnerability that needs to be resolved. Screening for compromised credentials is an essential layer of multi-factor authentication (MFA), heuristics, and authentication.