NIST Guidelines for Password Policies: 2017

The United States National Institute of Standards and Technology (NIST) released their 800-63-3 series of guidelines for Digital Identity, late 2017.

Link to the guidelines:

Prevalent password policy practices and trends have been examined, and a set of new ones have been released keeping in mind both digital security, and the human factor of users who create and use passwords.
This is definitely a step in the right direction.

So what are the observations, recommendations, and changes?

  • Emphasis is on strong user experience – if the password policy rules make remembering passwords difficult, users will circumvent the policy by writing them down or resuing them – effectively defeating the purpose of trying to enforcing security.
  • The burden of password security should be on the verifier, not the user
  • Two-factor authentication is a necessity for almost all systems

And to drill down to specifics-

  • Password length: minimum of 8  characters and maximum of 64 characters.
    Limiting password lengths to small values weakens security – and 64 characters encourage users to use long sentences (instead of words or phrases). Also, 64 characters would fit on most screens – so UI developers shouldn’t really complain.
  • Verification against a dictionary: Developers will do well to validate new passwords with dictionary files of common passwords before allowing them to be used.
    Why wait for hackers to use the dictionaries and strike gold? We all know it’s going to happen.
  • Password characters: All printable ASCII characters and spaces should be allowed. Permitting Unicode characters could be optional.
    This is definitely an improvement from the old character standard set of 90 characters.
    Additionally, I see this rule enforcing software developers and testers to pay more attention to input validation and error handling, and having lesser hacks due to fuzzy input.
    This is how I see it: if fuzzy input is valid input and has been anticipated, then, hey, that’s one less tool we’ve taken away from ’em black hats.
    Also, the old standards of hashing still apply, so this change shouldn’t really concern DBAs.
  • NO more composition rules: Nothing is more user-unfriendly than forcing unnatural password composition rules.

    So I for one am cheering that composition rules are off the NIST recommendations.
  • NO more password hints: Amen to that.
  • NO more knowledge-based authentication: You, your friends, your friends friends, and pretty much the whole world knows your mother’s maiden name, the street you grew up in, and your first-grade teacher’s last name (thank you, Facebook).
    I’m particularly glad to see this go, as it’s a bit concerning how many IT folk think that secret questions added on to passwords is two-factor authentication and consider their system secure. No, it isn’t. It still is the same factor: something you know.
  • Password expiration – The old order of limiting 100 failed attempts in 30 days still stands – with an added recommendation of using adaptive throttling techniques.
  • Storage – Rules for storing passwords drill down to technical specifics and emphasis NIST’s view that the burden of secure passwords should be on the verifier and service provider, not the user.
    The standards specify that stored password should:

    • never be in plaintext (yes, this still needs to be said)
    • shall be hashed –
      • with 32-bit random salt,
      • using PBKDF2 with SHA-1, SHA-2 family, SHA-3 family
      • by going through 10,000 iterations
      • using keyed hash (HMAC) with key stores separately (HSM)
  • Displaying typed password text – Password fields traditionally tend to show a series of asterisks or dots. NIST now recommends that the option to display the password in plain text should be provided. It could be set to rehide after a short period of time.
    Again this would aid user experience with passwords, especially when they are sure they aren’t being shoulder surfed.
  • NO SMS for two-factor authentication – Even as the world is still waking up to two-factor authentication, NIST is pulling the trigger on using SMS for the “something you have” factor. SMS authentication is now considered deprecated as NIST sees to many security loopholes with the Short Messaging System.

While most of the above won’t come as surprise to security folk, software developers, admins, and yes, management need to made aware of them.