Tuesday, 8 October 2024

NIST on Passwords. Some form of Sanity prevails

 A 'forever' frustration has been auditors demanding password expiry and bizarre password requirements. I usually just said "write down that I don't comply, and that I accept the risk". Mainly because the risk was lower doing it differently from the auditors.

Some of the requirements for passwords were derived from anecdotal evidence or applied military requirements to the average user. 

I've found that some of the most annoying complexity requirements have been imposed by sites protecting irrelevant assets.  My cinema club login password is more complex than almost anything else I use. But my popcorn credit is secure!

For some insight into how we got to the previous requirements, which were bizarre, read this https://www.riskinsight-wavestone.com/en/2021/11/the-evolution-of-the-nist-password-complexity-rules-a-mandatory-step-before-a-passwordless-world/


NIST in  "https://pages.nist.gov/800-63-4/sp800-63b.html"     now say:


Password Authenticators

Passwords SHALL either be chosen by the subscriber or assigned randomly by the CSP.

If the CSP disallows a chosen password because it is on a blocklist of commonly used, expected, or compromised values (see Sec. 3.1.1.2), the subscriber SHALL be required to choose a different password. Other complexity requirements for passwords SHALL NOT be imposed. A rationale for this is presented in Appendix A, Strength of Passwords.

Password Verifiers

The following requirements apply to passwords:

  1. Verifiers and CSPs SHALL require passwords to be a minimum of eight characters in length and SHOULD require passwords to be a minimum of 15 characters in length.
  2. Verifiers and CSPs SHOULD permit a maximum password length of at least 64 characters.
  3. Verifiers and CSPs SHOULD accept all printing ASCII [RFC20] characters and the space character in passwords.
  4. Verifiers and CSPs SHOULD accept Unicode [ISO/ISC 10646] characters in passwords. Each Unicode code point SHALL be counted as a single character when evaluating password length.
  5. Verifiers and CSPs SHALL NOT impose other composition rules (e.g., requiring mixtures of different character types) for passwords.
  6. Verifiers and CSPs SHALL NOT require users to change passwords periodically. However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
  7. Verifiers and CSPs SHALL NOT permit the subscriber to store a hint that is accessible to an unauthenticated claimant.
  8. Verifiers and CSPs SHALL NOT prompt subscribers to use knowledge-based authentication (KBA) (e.g., “What was the name of your first pet?”) or security questions when choosing passwords.
  9. Verifiers SHALL verify the entire submitted password (i.e., not truncate it).