Source URL: https://www.schneier.com/blog/archives/2024/09/nist-recommends-some-common-sense-password-rules.html
Source: Schneier on Security
Title: NIST Recommends Some Common-Sense Password Rules
Feedly Summary: NIST’s second draft of its “SP 800-63-4“—its digital identify guidelines—finally contains some really good rules about passwords:
The following requirements apply to passwords:
lVerifiers and CSPs SHALL require passwords to be a minimum of eight characters in length and SHOULD require passwords to be a minimum of 15 characters in length.
Verifiers and CSPs SHOULD permit a maximum password length of at least 64 characters.
Verifiers and CSPs SHOULD accept all printing ASCII [RFC20] characters and the space character in passwords.
Verifiers and CSPs SHOULD accept Unicode [ISO/ISC 10646] characters in passwords. Each Unicode code point SHALL be counted as a signgle character when evaluating password length.
…
AI Summary and Description: Yes
Summary: The second draft of NIST’s “SP 800-63-4” digital identity guidelines introduces updated password requirements that aim to enhance security practices. Key changes include minimum password lengths, acceptance of various character types, and modified rules regarding password changes and storage.
Detailed Description: The updated guidelines from NIST’s SP 800-63-4 provide essential best practices that align with contemporary security needs, particularly for organizations managing user identities and access controls. The recommendations stress the importance of password resilience while also addressing user experience during the authentication process.
Key Points:
– **Minimum Length Recommendations**: Passwords should now be a minimum of eight characters, with a recommendation for a minimum of 15 characters, promoting stronger password creation.
– **Maximum Length Flexibility**: The guidelines recommend allowing password lengths up to at least 64 characters to accommodate user preferences and complexity.
– **Character Set Acceptance**:
– Encourages the acceptance of all printing ASCII characters as well as the space character, broadening the scope for password creation.
– Inclusion of Unicode characters ensures non-English speakers and diverse user bases can create secure passwords reflecting their languages.
– **Elimination of Composition Rules**:
– The guidelines prohibit imposing additional password composition rules (e.g., requiring a mix of uppercase, lowercase, numbers, and symbols), which can often lead to frustration and may not significantly enhance security.
– **Password Change Policy**:
– Regular mandatory password changes are discouraged unless there is clear evidence of compromise, reducing unnecessary disruptions for users.
– **Prohibition of Hints and KBA**:
– The guidelines specify that users should not create password hints accessible to unauthorized parties and discourage reliance on knowledge-based authentication questions, which are often less secure.
– **Password Verification Requirement**:
– There is an emphasis on ensuring verifiers process the entire password without truncation, allowing users to utilize longer and more complex passwords.
These updates reflect a shift towards user-centered security practices while prioritizing strong password formation, ultimately aiming to reduce the risks associated with password-based systems. For security and compliance professionals, understanding these guidelines is crucial in implementing robust authentication mechanisms that align with regulatory standards and user needs.