NIST has updated its Digital Identity Guidelines, which provide technical guidance for organizations to implement digital identity services and outlines requirements for credential service providers (CSPs) for remote user authentication at three different authentication assurance levels.

For example, the document includes updated guidelines regarding the complexity of passwords. These requirements state that verifiers and CSPs:

1. SHALL require passwords to be a minimum of eight characters in length and SHOULD require passwords to be a minimum of 15 characters in length.
2. SHOULD permit a maximum password length of at least 64 characters.
3. SHOULD accept all printing ASCII [RFC20] characters and the space character in passwords.
4. SHOULD accept Unicode [ISO/ISC 10646] characters in passwords. 
5. SHALL NOT impose other composition rules (e.g., requiring mixtures of different character types) for passwords.
6. SHALL NOT require users to change passwords periodically. However, verifiers SHALL force a change if there is evidence of compromise.
7. SHALL NOT permit the subscriber to store a hint that is accessible to an unauthenticated claimant.
8. SHALL NOT prompt subscribers to use knowledge-based authentication (e.g., “What was the name of your first pet?”) or security questions when choosing passwords.
9. SHALL verify the entire submitted password (i.e., not truncate it).

The document notes that “length and complexity requirements beyond those recommended here significantly increase the difficulty of using passwords and increase user frustration.”

Other approaches, such as “blocklists, secure hashed storage, machine-generated random passwords, and rate limiting are more effective at preventing modern brute-force attacks, so no additional complexity requirements are imposed,” it states.

The comprehensive guidelines address many other authentication factors and detail both “process and technical requirements for meeting digital identity management assurance levels.”

Learn more at NIST.