a NIST blog
This week’s blog post highlighting Cybersecurity Awareness Month kicks off our series and is from NIST’s Dave Temoshok, Senior Advisor in the Information Technology Laboratory Applied Cybersecurity Division. In this post, Dave discusses how to “Be Cyber Smart” with passwords by using Multifactor Authentication best practices.
I currently serve as the Senior Advisor in the NIST Information Technology Laboratory Applied Cybersecurity Division. In general, I am responsible for digital identity management standards, guidance, and requirements, principally NIST Special Publication 800-63-3 Digital Identity Guidelines and related NIST and international standards and guidance. I came to NIST in 2011 to work on the National Strategy for Trusted Identities in Cyberspace (NSTIC) program. However, prior to coming to NIST to work on the NSTIC program I had a long association working with NIST colleagues on a wide variety of identity management programs, including the FIPS 201 Personal Identity Verification Standard, the FIPS 201 Laboratory Accreditation Program and the FIPS 201 Approved Product List, the Federal Public Key Infrastructure program, the Federal e-Authentication program, and the implementation of Homeland Security Presidential Directive 12.
Without any question, what I have valued most from my work at NIST is the collegiality with fellow NIST associates. I have the highest regard and appreciation for the collegiality of my work experiences with NIST associates on a wide variety of identity management programs and work projects. I have found NIST colleagues to be extremely knowledgeable, cooperative, and, above all, totally dedicated to meeting the demands of all work project and tasks at the highest level possible.
Being “Cyber Smart” today means being aware of the motivations and tactics of those who would attack your computer security and adopting measures to protect yourself and the information systems you are responsible for. It’s important to know the capabilities of the attackers you are defending against and as much as possible to think like the attacker. Adopt a layered approach to security to reduce dependencies on any single defensive measure.
NIST provides a number of useful references in this regard, particularly the NIST Cybersecurity Framework (https://www.nist.gov/cyberframework), a voluntary framework for organizations consisting of standards, guidelines and best practices to manage cybersecurity risk, and NIST SP 800-53 Security and Privacy Controls for Information Systems and Organizations, which presents a catalog of controls to protect against a wide range of threats, risks, and attacks. Since online identity is often a key point of attack, NIST SP 800 63-3 Digital Identity Guidelines provides guidance and controls for the protection of online systems and services from identity theft and attacks.
The most reliable way to create a strong password is to make it long (perhaps a phrase). Longer passwords (which should not be actual words) are both harder to guess and harder to reverse engineer in case a website or online service suffers a security breach. Avoid including personal information or using formulas that could be guessed or inferred by an attacker. Password strength meters often give helpful guidance to guide the selection of good passwords. Since multiple long passwords are difficult to remember and manage, consider the use of a password manager for stronger, simpler password management.
Remember that good security is a partnership between your organization and its users. Set a reasonable lower limit (say, 8 characters) on password length, and make it possible for users to create long passwords (64 characters at least). Use a blocklist to prevent users from selecting common password values (require them to select something different if it’s too common). Don’t impose complex rules about the types of characters that must (or must not) be in a password; such rules have less benefit than commonly believed and lead to frustrated users who focus more on satisfying the rules than coming up with a good password.
Users tend to create weaker passwords when they will need to change them periodically, so don’t require them to change their passwords arbitrarily, but do require a change if there is evidence of a security breach.
Consider both online and offline attacks. For online attacks, use a rate-limiting mechanism to limit their ability to make brute-force guesses of user passwords. To protect against offline attacks, make sure that passwords are stored in a manner (salted and repetitively hashed) that makes it as difficult as possible for an attacker to exploit the authentication database if it is breached.
NIST SP 800-63B provides a thorough discussion of the management, use and controls for memorized secrets (i.e., passwords, PINs) used to access online accounts and services.
Multifactor authentication, also called two-step or two-factor authentication, uses a password or biometric verification in combination with proving possession of a device such as a trusted mobile device or a physical security token or key. With multifactor authentication, even if an attacker is able to compromise the user’s password or biometric, they would also need to steal the user’s mobile device or security token to gain access to the user’s account. Examples of multifactor authentication include the use of password or biometric verification combined with a one-time password (OTP) security code sent to a trusted mobile device, an authentication application installed on a mobile device used in conjunction with a password, or a security token or software using cryptographic authentication processes.
While multifactor authentication is somewhat less convenient than use of a single authentication factor like a password, it greatly enhances the security of user accounts. Use multifactor authentication wherever it is available and practical to do so, especially if access to financial accounts or personal information is involved.
Multifactor authentication takes several forms. A common multifactor authentication method involves the sending of a unique code via text message or phone call to the user. While this is a big improvement over the use of a password alone, it is vulnerable to eavesdropping and other attacks involving the phone system. Another approach is the use of an application or security token that displays a unique code that changes for each authentication and proves possession of that token or device. Authenticators are also available that prove possession of the device through a cryptographic challenge, frequently in conjunction with a password/PIN or biometric entered by the user. NIST SP 800-63B provides information on different classes of authenticators that can be used in multifactor authentication.
Phishing attacks commonly use fraudulent communications that appear to come from a reputable source, typically through email, to dupe the user to provide sensitive credit card and login information to an attacker or to install malware on the user's machine.
We recommend the following best practices to protect against phishing attacks. Check that the sender is legitimate. Make sure the sender information and the email address match and are from the expected domain (e.g., your bank). Even if the sender appears legitimate, there are often mistakes such as that the name of the company is spelled incorrectly. Check the email text for spelling and grammar errors – phishing emails often contain such errors. Check the links in the email by hovering your cursor over them to see if they go to the place you expect – this can reveal fraudulent links. If in any doubt, type the known domain of the party you want to respond to directly into your browser, rather than click on a link.
Be especially wary of urgent demands for action. Phishing attacks often try to cause panic, present an ultimatum (i.e., "If you do not respond immediately, you will be sent to collections"), or cause a quick action without thinking. Slow down and do not rush to take any action without investigation. If an opportunity looks too good to be true, it usually is; phishing attacks may offer a financial reward or a one-time deal that must be immediately made – do not fall for it. Trust your judgement: if an email looks suspicious, it is likely a phishing attack. It is better to be safe than sorry.