New Password Rules Recommended by NIST

By

The latest guidelines reduce imposed complexity of passwords.

NIST has updated its Digital Identity Guidelines, which provide technical guidance for organizations to implement digital identity services and outlines requirements for credential service providers (CSPs) for remote user authentication at three different authentication assurance levels.

For example, the document includes updated guidelines regarding the complexity of passwords. These requirements state that verifiers and CSPs:

  1. SHALL require passwords to be a minimum of eight characters in length and SHOULD require passwords to be a minimum of 15 characters in length.
  2. SHOULD permit a maximum password length of at least 64 characters.
  3. SHOULD accept all printing ASCII [RFC20] characters and the space character in passwords.
  4. SHOULD accept Unicode [ISO/ISC 10646] characters in passwords. 
  5. SHALL NOT impose other composition rules (e.g., requiring mixtures of different character types) for passwords.
  6. SHALL NOT require users to change passwords periodically. However, verifiers SHALL force a change if there is evidence of compromise.
  7. SHALL NOT permit the subscriber to store a hint that is accessible to an unauthenticated claimant.
  8. SHALL NOT prompt subscribers to use knowledge-based authentication (e.g., “What was the name of your first pet?”) or security questions when choosing passwords.
  9. SHALL verify the entire submitted password (i.e., not truncate it).

The document notes that “length and complexity requirements beyond those recommended here significantly increase the difficulty of using passwords and increase user frustration.”

Other approaches, such as “blocklists, secure hashed storage, machine-generated random passwords, and rate limiting are more effective at preventing modern brute-force attacks, so no additional complexity requirements are imposed,” it states.

The comprehensive guidelines address many other authentication factors and detail both “process and technical requirements for meeting digital identity management assurance levels.”

Learn more at NIST.
 
 

 
 
 

10/10/2024
comments powered by Disqus
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs



Support Our Work

ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.

Learn More”>
	</a>

<hr>		    
			</div>
		    		</div>

		<div class=