New Password Rules Recommended by NIST

By

The latest guidelines reduce imposed complexity of passwords.

NIST has updated its Digital Identity Guidelines, which provide technical guidance for organizations to implement digital identity services and outlines requirements for credential service providers (CSPs) for remote user authentication at three different authentication assurance levels.

For example, the document includes updated guidelines regarding the complexity of passwords. These requirements state that verifiers and CSPs:

  1. SHALL require passwords to be a minimum of eight characters in length and SHOULD require passwords to be a minimum of 15 characters in length.
  2. SHOULD permit a maximum password length of at least 64 characters.
  3. SHOULD accept all printing ASCII [RFC20] characters and the space character in passwords.
  4. SHOULD accept Unicode [ISO/ISC 10646] characters in passwords. 
  5. SHALL NOT impose other composition rules (e.g., requiring mixtures of different character types) for passwords.
  6. SHALL NOT require users to change passwords periodically. However, verifiers SHALL force a change if there is evidence of compromise.
  7. SHALL NOT permit the subscriber to store a hint that is accessible to an unauthenticated claimant.
  8. SHALL NOT prompt subscribers to use knowledge-based authentication (e.g., “What was the name of your first pet?”) or security questions when choosing passwords.
  9. SHALL verify the entire submitted password (i.e., not truncate it).

The document notes that “length and complexity requirements beyond those recommended here significantly increase the difficulty of using passwords and increase user frustration.”

Other approaches, such as “blocklists, secure hashed storage, machine-generated random passwords, and rate limiting are more effective at preventing modern brute-force attacks, so no additional complexity requirements are imposed,” it states.

The comprehensive guidelines address many other authentication factors and detail both “process and technical requirements for meeting digital identity management assurance levels.”

Learn more at NIST.
 
 

 
 
 

10/10/2024
authentication , Identity Manage... , Security

Related content

  • News for Admins
    In the news:Open Source AI Definition Now Available; Sysdig Report Highlights LLMjacking and Other Security Threats; Microsoft Releases OpenHCL, an Open Source Paravisor; NASA Moves Forward with Lunar Time Zone; Open Source Malware on the Rise, According to Sonatype Report; Six Principles of Operational Technology Cybersecurity Released; New Password Rules Recommended by NIST; OpenSSH 9.9 Released; Docker Updates Usage Plans.
    more »
  • Lead Image © Nah Ting Feng, 123RF.com
    Lithnet Password Protection for Active Directory
    Lithnet Password Protection for Active Directory provides flexible rules beyond that possible with group policies alone and prevents the use of previously compromised passwords.
    more »
  • New Report Exposes the Prevalence of Lame Passwords
    more »
  • Two-Factor Authentication

    Making your systems really secure can be a bit more complicated than resorting to the use of regular passwords. In this article, we provide an overview of authentication solutions and present potential approaches for common use cases.

    more »
  • John the Ripper

    Easy to remember but difficult to guess isn’t just a catchy phrase for choosing passwords, it’s the law of the Net. Learn how to check your password using a tool network intruders use every day: John the Ripper.

    more »
comments powered by Disqus