- NIST now asks for a minimum length of eight characters for human-generated passwords and six characters for machine-generated ones. To enable greater security for more sensitive accounts, NIST specifies you should allow for a maximum password length of at least 64 characters.
The guidelines prohibit sequential or repeating characters (like 3456 or zzzz) and prohibit dictionary words
Allowing special characters in passwords also promotes increased security. NIST SP 800-63-3 requires systems permit passwords to incorporate any ASCII or Unicode character (even emojis). Spaces are also supported to enable passphrases
systems should utilize special software to check a proposed password against a slew of previously exposed passwords from past breaches
Password fields must now allow a user to paste text in via a device’s copy-and-paste feature. This enables compatibility with password managers which have numerous security benefits
stored passwords must be hashed and salted rather than saved as plaintext
the new NIST guidelines outlaw password hints
Knowledge-based authentication (KBA)—such as questions like, “What street did you grow up on?” or “Who was your best friend in high school?”—are also no longer allowed. The answers are too easy to figure out, especially in today’s age of public social media
The guidelines removed password complexity requirements, and special characters and numbers are no longer needed
no longer required to change their passwords on a regular basis.
https://www.passportalmsp.com/blog/nist-guidelines-password-security
- Remove periodic password change requirements
Drop the algorithmic complexity song and dance
No more arbitrary password complexity requirements, needing mixtures of upper case letters, symbols and numbers
require screening of new passwords against lists of commonly used or compromised passwords
ratchet up the strength of your users’ passwords is to screen them against lists of dictionary passwords and known compromised passwords.
https://www.alvaka.net/new-password-guidelines-us-federal-government-via-nist/
- Through 20 years of effort, we have correctly trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess
https://www.theverge.com/2017/8/7/16107966/password-tips-bill-burr-regrets-advice-nits-cybersecurity
- NIST now requires a minimum length of eight characters for user-generated passwords and six characters for those that are generated by a machine
NIST now requires systems to permit passwords that contain special characters, even emojis and spaces. The new guidelines prohibit sequential (ex: 1234) or repeating (ex: aaaa) characters and dictionary words
Password fields must now allow users to paste text using a device’s copy and paste feature. This affords users the opportunity to use password managers, which can greatly increase security.
Stored passwords must also be hashed and salted (security measures similar to encryption).
NIST has completely outlawed the use of password hints. Knowledge-based authentication (KBA) questions like “What street did you grow up on?” are also no longer permitted. The answers to these are too easily found over the internet, and can easily lead to a breach.³
frequent password changes are counterproductive to good password security. NIST recommends removing this requirement, which should increase usability and make password security more user-friendly.
NIST recommends minimizing password complexity requirements, like the necessary inclusion of upper case letters, symbols, and numbers.Reducing password complexity can be another great step on the road to better security practices that employees find easier to manage
A commonly held security practice is screening your users’ passwords against lists of commonly held passwords and known compromised passwords. NIST recommends you utilize software that can check proposed passwords against previously held or exposed passwords
https://www.totalhipaa.com/password-guidelines-updated-by-nist/
- particularly that forcing complexity and regular changes is now seen as bad practice
Verifiers should not impose composition rules e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters
Verifiers should not require passwords to be changed arbitrarily or regularly e.g. the previous 90 day rule
Passwords must be at least 8 characters in length
Password systems should permit subscriber-chosen passwords at least 64 characters in length.
All printing ASCII characters, the space character, and Unicode characters should be acceptable in passwords
When establishing or changing passwords, the verifier shall advise the subscriber that they need to select a different password if they have chosen a weak or compromised password
Verifiers should offer guidance such as a password-strength meter, to assist the user in choosing a strong password
Verifiers shall store passwords in a form that is resistant to offline attacks. Passwords shall be salted and hashed using a suitable one-way key derivation function. Key derivation functions take a password, a salt, and a cost factor as inputs then generate a password hash.
Typical components of a password policy include:
Many policies require a minimum password length. Eight characters is typical
the use of both upper-case and lower-case letters (case sensitivity)
inclusion of one or more numerical digits
inclusion of special characters, such as @, #, $
prohibition of words found in a password blocklist
prohibition of words found in the user's personal information
prohibition of use of company name or an abbreviation
prohibition of passwords that match the format of calendar dates, license plate numbers, telephone numbers, or other common numbers
Password block list
Password block lists are lists of passwords that are always blocked from use.
should no longer be used because they have been deemed insecure for one or more reasons, such as being easily guessed, following a common pattern, or public disclosure from previous data breaches.
Common examples are Password1, Qwerty123, or Qaz123wsx
Password duration
This policy can often backfire.
so if people are required to choose many passwords because they have to change them often, they end up using much weaker passwords; the policy also encourages users to write passwords down.
if the policy prevents a user from repeating a recent password, this requires that there is a database in existence of everyone's recent passwords (or their hashes) instead of having the old ones erased from memory. Finally, users may change their password repeatedly within a few minutes, and then change back to the one they really want to use, circumventing the password change policy altogether.
frequently changing a memorized password is a strain on the human memory, and most users resort to choosing a password that is relatively easy to guess
Users are often advised to use mnemonic devices to remember complex passwords. However, if the password must be repeatedly changed, mnemonics are useless because the user would not remember which mnemonic to use. Furthermore, the use of mnemonics (leading to passwords such as "2BOrNot2B") makes the password easier to guess
Requiring a very strong password and not requiring it be changed is often better.However, this approach does have a major drawback: if an unauthorized person acquires a password and uses it without being detected, that person may have access for an indefinite period.
Password policies may include progressive sanctions beginning with warnings and ending with possible loss of computer privileges or job termination. Where confidentiality is mandated by law, e.g. with classified information, a violation of password policy could be a criminal offense
Some systems limit the number of times a user can enter an incorrect password before some delay is imposed or the account is frozen
Stricter requirements are also appropriate for accounts with higher privileges, such as root or system administrator accounts.
Usability considerations
Inclusion of special characters can be a problem if a user has to log onto a computer in a different country. Some special characters may be difficult or impossible to find on keyboards designed for another language.
Some identity management systems allow self-service password reset, where users can bypass password security by supplying an answer to one or more security questions such as "where were you born?", "what's your favorite movie?", etc. Often the answers to these questions can easily be obtained by social engineering, phishing or simple research.
https://en.wikipedia.org/wiki/Password_policy#cite_note-3
