New NIST Password Guidelines: What You Need to Know
NIST’s new guidelines favor longer passwords and blocklists over complexity rules and forced changes, reshaping password security practices
New NIST Password Guidelines: What You Need to Know
The National Institute of Standards and Technology (NIST) has released the second public draft of its Digital Identity Guidelines, including updated recommendations for password security. This revision brings significant changes not only in content but also in the language used to express requirements.
These guidelines are significant in the world of online security, and they might affect the way you log into your accounts in the future. Let’s break down these changes while avoiding “geek speak” as much as possible.
What is NIST?
NIST, or the National Institute of Standards and Technology, is a non-regulatory federal agency within the U.S. Department of Commerce. Its mission is to promote innovation and industrial competitiveness by advancing measurement science, standards, and technology. In the realm of cybersecurity, NIST develops guidelines and frameworks that are widely adopted by both public and private sector organizations.
Stronger Language in Guidelines
One notable change in this draft is the shift from advisory language to more definitive requirements. NIST has replaced many instances of “should NOT” with “SHALL NOT”. This change in terminology signifies a move towards more stringent guidelines, with “SHALL” and “SHALL NOT” indicating mandatory requirements rather than recommendations.
Understanding Verifiers and CSPs (OK, just a little necessary “geek speak”)
In NIST’s Digital Identity Guidelines, two key terms frequently appear: Verifiers and Credential Service Providers (CSPs). Verifiers are entities that authenticate a user’s identity by verifying their possession and control of authenticators (like passwords) using an authentication protocol. They essentially check whether a login attempt is valid. CSPs, on the other hand, are trusted entities that issue or register subscriber authenticators and electronic credentials. They manage the lifecycle of authenticators, perform identity proofing, and often operate the verifiers. In many organizations, the IT department or identity management team typically fulfills both these roles, implementing and maintaining secure authentication systems in compliance with NIST standards.
Key Changes in Password Guidelines
The new draft, specifically in the section “Password Verifiers,” outlines several important requirements for handling passwords. Here are the key points, using NIST’s precise language directed toward Verifiers and CSPs:
1. Minimum and Maximum Length
- SHALL require passwords to be a minimum of eight characters in length and SHOULD require passwords to be a minimum of 15 characters in length.
- SHOULD permit a maximum password length of at least 64 characters.
2. Character Sets
- SHOULD accept all printing ASCII characters and the space character in passwords.
- SHOULD accept Unicode characters in passwords. Each Unicode code point SHALL be counted as a single character when evaluating password length.
3. No Composition Rules
- SHALL NOT impose other composition rules (e.g., requiring mixtures of different character types) for passwords.
4. No Periodic Changes
- SHALL NOT require users to change passwords periodically. However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
5. No Hints or Security Questions
- SHALL NOT permit the subscriber to store a hint that is accessible to an unauthenticated claimant.
- SHALL NOT prompt subscribers to use knowledge-based authentication (KBA) (e.g., “What was the name of your first pet?”) or security questions when choosing passwords.
6. Blocklists
- When processing a request to establish or change a password, verifiers SHALL compare the prospective secret against a blocklist that contains known commonly used, expected, or compromised passwords.
7. Secure Storage:
- SHALL store passwords in a form that is resistant to offline attacks.
- SHALL be salted and hashed using a suitable password hashing scheme.
8. Verify Entire Password
- SHALL verify the entire submitted password (i.e., not truncate it).
9. Password Normalization
- If Unicode characters are accepted in passwords, the verifier SHOULD apply a normalization process for stabilized strings. This process is applied before hashing the byte string that represents the password.
Implications for Organizations
These guidelines represent a significant shift from traditional password policies. The focus is now on longer passwords rather than complex composition rules, which can often lead to user frustration and less secure practices like writing down passwords. The use of “SHALL” and “SHALL NOT” in these guidelines emphasizes that these are not mere suggestions but required practices for compliance.
How CinchOps Can Help
At CinchOps, we understand the challenges of implementing evolving security standards, especially when they become more stringent. Our team stays up-to-date with the latest guidelines and can assist your organization in:
- Updating password policies to align with NIST’s new mandatory requirements
- Implementing secure password storage practices, including salting and hashing
- Setting up systems to check passwords against blocklists
- Removing outdated practices like periodic password changes and composition rules
- Educating users on creating strong, memorable passwords that meet the new guidelines
We will continue to monitor the development of these guidelines and provide updates as future drafts and the final version become available. Our goal is to ensure your organization’s password policies are both secure and user-friendly, in full compliance with the latest expert recommendations.
Stay tuned for more updates on cybersecurity best practices from CinchOps!
FREE Security Assessment
For a limited time CEO’s and business owners in the Greater Houston area can request a FREE security assessment. Go to the Security Assessment Services page and request your FREE assessment.