NIST Suggests Eliminating Outdated and Illogical Password Requirements

The National Institute of Standards and Technology (NIST), a key federal institution responsible for setting technology standards applicable to government bodies, standards organizations, and private sector firms, is moving to eliminate some of the most burdensome and illogical password requirements. Notable among these are obligatory password changes, mandates on specific character usage, and reliance on security questions.

Creating strong passwords and managing them effectively poses a significant challenge in maintaining robust cybersecurity practices. This challenge is exacerbated by the complex password policies enforced by employers, government entities, and online service providers. Often, these rules, intended to boost security, end up compromising it instead, imposed by faceless authorities regardless of practical impact.

Enough with the Insanity!

Last week, NIST issued its second public draft of SP 800-63-4, the most recent iteration of its Digital Identity Guidelines. The document, a hefty 35,000 words filled with technical language and bureaucratic terminology, is a daunting read that is equally difficult to fully comprehend. It outlines both technical specifications and recommended best practices for validating methods used in the authentication of digital identities online. Compliance with these guidelines is mandatory for organizations engaging with the federal government via the internet.

Read  iPhone 16 Pro Launch: A18 Pro Chip, Advanced Cameras, Release Date & More Revealed!

Within the new draft, a section on passwords introduces much-needed rational approaches that question longstanding policies. For instance, the updated rules remove the mandate for users to routinely update their passwords—a practice that originated decades ago under less sophisticated understandings of password security, leading to the selection of easily guessable passwords like common names or dictionary words.

Today, many platforms mandate the creation of stronger passwords consisting of random characters or phrases. However, the traditional requirement to change passwords frequently, typically every one to three months, can actually reduce security. This is because the increased hassle may encourage the use of simpler, more memorable passwords that are easier to crack.

Another rule that tends to do more harm than good involves the enforced inclusion of specific characters, such as at least one numeral, one special symbol, and both upper and lower case letters in passwords. When passwords are adequately lengthy and random, these additional character requirements are unnecessary and can lead to weaker passwords as users struggle to meet complex criteria.

The revised NIST guidelines now clearly state that:

  • Verifiers and Credential Service Providers (CSPs) MUST NOT enforce arbitrary composition rules (such as requiring a mix of different character types) on passwords, and
  • Verifiers and CSPs MUST NOT require users to periodically change passwords. However, verifiers MUST enforce a change if there is evidence that the authenticator has been compromised.

(Here, “Verifiers” refers to entities that confirm an account holder’s identity by checking their authentication credentials, and “CSPs” are trusted entities that manage or issue authenticators to the account holder.)

In earlier versions of these guidelines, some rules used the phrase “should not,” suggesting a best practice rather than a requirement. The term “shall not” in the current document, however, indicates that these practices are prohibited to ensure compliance.

Other sensible practices included in the document are:

  1. Verifiers and CSPs MUST require passwords to be at least eight characters long and SHOULD aim for a minimum of 15 characters.
  2. Verifiers and CSPs SHOULD allow passwords to be up to 64 characters long.
  3. Verifiers and CSPs SHOULD accept all printable ASCII characters and the space character in passwords.
  4. Verifiers and CSPs SHOULD permit the use of Unicode characters in passwords, counting each Unicode code point as a single character for password length purposes.
  5. Verifiers and CSPs MUST NOT impose arbitrary composition rules for passwords.
  6. Verifiers and CSPs MUST NOT require periodic password changes, but MUST require a change if a compromise is detected.
  7. Verifiers and CSPs MUST NOT allow subscribers to store hints accessible to an unauthenticated individual.
  8. Verifiers and CSPs MUST NOT use knowledge-based authentication (KBA) prompts (e.g., “What was the name of your first pet?”) or security questions for password creation.
  9. Verifiers MUST check the entire submitted password without truncating it.

Further Reading

Microsoft has described forced password changes as “ancient and obsolete.”

Despite longstanding criticism regarding the ineffectiveness and potential harm of common password rules, many banks, online services, and government agencies have continued to enforce them. If adopted, the new guidelines could serve as strong arguments for abolishing such outdated practices.

NIST invites public comments on the guidelines, which can be sent to dig-comments@nist.gov by 11:59 pm Eastern Time on October 7.

4.8/5 - (12 votes)

Leave a Comment

Partages