2024-09-25
NIST Revises Identity Guidelines, Including Password Requirements
Special Publication 800-63-4 is the second public draft of guidelines on "the authentication of subjects who interact with government information systems over networks" published by the National Institute of Standards and Technology (NIST). The document is both "informative" and "normative" on many dimensions of authentication, including MFA, user privacy, phishing-resistant measures, and biometrics, as well as the usability and equity of authentication policies. Notably the draft redefines what Credential Service Providers (CSPs) may and may not require in password composition. Hard rules include an 8-character minimum (15 minimum and 64 maximum recommended); no special character rules; no arbitrary scheduled password changes; no publicly visible password hint, and no knowledge-based credentials or security questions.
Editor's Note
In this document, Authentication Assurance Level 1 still says reusable passwords provide 'basic confidence that the claimant controls an authenticator bound to the subscriber account being authenticated.' Note: this is NOT confidence about identity, it is confidence that the account name entered and password match - every successful phishing attacker gains this 'basic confidence' level. AAL 2 requires phishing-resistant authentication be in use and should be the starting point. Also note: the guidelines remove requirements for regular password reset but require immediate reset when a password is compromised. That requires monitoring one of the many (often free) password compromise exposure feeds and will very likely result in resets needed more frequently! Moving away from reusable passwords avoids that increased cost.
John Pescatore
This change has been a long time coming. What NIST has done (and congrats for it) is start addressing the human element in authentication. Requiring extremely complex, time-consuming, and unrealistic behaviors only frustrates people to the point that we drive them to the wrong behaviors. These new password requirements dramatically simplify passwords for people, enabling them to exhibit the behaviors we do want. Now, what I would love to see is the discussion shift to how can we make MFA as simple as possible for people. The simpler a behavior, the more likely people will exhibit it.
Lance Spitzner
These updated requirements are a great refresh to move us forward to more sensible authentication policies. Must read for anybody defining authentication requirements.
Johannes Ullrich
To my old co-worker Jason: we tried for years back in 2009-2010 to tell PCI auditors that having us change our 20+ character passwords every 90 days was a silly idea. IT ONLY TOOK 15+ YEARS!
Moses Frost
NIST has slowly been evolving its thinking on password creation and management. This revised draft guidance continues that trend. Bottom line, a set of practical rules that consider the threat, changing identity and access management technology, and dare I say it, common sense. Hurry up and go final before the cybersecurity 'borg' consumes you!
Curtis Dukes
It's been repeatedly proven that frequent password changes results in a lowering of security, as does special character requirements (as opposed to long complex passphrases) as composition requirements can, again, lead to weaker passwords. Beyond getting sane about password requirements, MFA, particularly phishing-resistant MFA, needs to be SOP. The window for comments on this draft close at 11:59 Eastern on October 7th. PCI's DSS 4.0 will need to catch up as it still requires a 12-character password with upper/lower/numbers and a unique symbol. DSS 4.0 does include MFA requirements.
Lee Neely
Bits are bits and it is true that length is a more convenient way to get them than awkward complexity rules (introduced to get bits when password length was restricted for efficiency). However, one should NOT infer from this discussion that strong but replayable passwords are useful, secure, or appropriate for any but the most trivial applications. While strong passwords do protect against brute force, "fuzzing," spraying, and dictionary attacks, we are not seeing these attacks. They do not protect against the fraudulent reuse of compromised credentials, implicated in so many breaches. They are not even more convenient than such strong authentication mechanisms as Passkeys.