‘Memorized Secrets’ and NIST’s Latest Password Security Suggestions


‘Memorized Secrets’ and NIST’s Latest Password Security Suggestions - 1 With so many other competing priorities, password security may not be top-of-mind for many business leaders right now. But even a cursory check of 2017 data-breach reporting suggests that it very well should be.


For example, more than 80 percent of last year’s hack-related data breaches involved weak or stolen passwords, according to Verizon’s latest Data Breach Investigations Report. Studies from security applications providers such as SplashData and Keeper also reveal just how feeble passwords can be, and how lightly users take password security.




For its annual ‘Worst Passwords of the Year’ report, SplashData analyzed more than five million publicly leaked passwords, culling a list of the 100 most used (and therefore worst) terms.
Astonishingly, the top five offenders were: 123456; Password; 12345678; qwerty; and 12345. 
Keeper’s analysis of more than 10 million data-breached passwords confirmed similar user laxity, with their list showing nearly one in five hacked users safeguarding their digital lives with


Best practices being replaced?


Granted, many small-company IT pros try to mitigate exposure by implementing and enforcing cybersecurity policies, including password security and usage. But however proactive and well-intentioned, some practices being used may be outdated or even risky.  So says the man who literally wrote the book on password security.


In 2003, Bill Burr, then a security expert employed by the National Institute of Standards and Technology (NIST), authored a security reference entitled Special Publication 800-63, Appendix A, which became the de facto operating standard for federal agencies and corporations.


Last year, Burr concluded his previous advice may have been ‘misguided.’


Regardless of Burr’s recent pivot, many SMBs still follow his 15-year old recommendations, such as mixing in symbols and refreshing passwords every 90 days, practices we ourselves have reported on often.


But could it be that NIST’s 2017 Digital Identity Guidelines have made some familiar hygiene techniques obsolete?


It’s a compelling question that businesses and their IT Managed Services Providers (IT MSPs) should definitely discuss–especially the subject of password Authentication and Lifecycle Management.


‘Memorized Secrets’ vs. mixed-character passwords


To strike a practical balance between security and usability, NIST’s updated guidelines cover the use of ‘memorized secrets,’ which it defines as a “secret value intended to be chosen and memorized by the user…and of sufficient complexity and secrecy that it would be impractical for an attacker to guess or otherwise discover the correct secret value.”  NIST also now says that passwords shouldn’t be changed unless a company is informed of a specific hacking threat.


NIST’s advice to system admins


We strongly endorse the NIST cybersecurity framework and believe that whenever NIST takes a position on something, business leaders should pay attention. For companies considering the use of memorized secrets, NIST experts encourage administrators to:   


  • Clearly communicate memorized secret requirements to all employees, including how to create and change them
  • Allow users to make passphrases as long as they want, up to 64 characters, including spaces, to aid in memorization
  • Avoid imposing composition rules (e.g. mixing in capital letters, numbers and symbols)
  • Provide clear, actionable feedback when users’ memorized secrets are rejected (e.g. it’s previously or commonly used, or blacklisted by the company)


The threat of user-caused breaches makes effective password security more crucial than ever, regardless of the strategy you use. Consult your IT Managed Services Providerabout which cybersecurity policies and practices, including password hygiene, will keep your company safer and more secure in 2018.