NIST recommends barring some of the most nonsensical password rules

The National Institute of Standards and Technology (NIST), the federal body that sets technology standards for handlemental agencies, standards organizations, and personal companies, has recommendd barring some of the most vexing and nonsensical password needments. Chief among them: compulsory resets, needd or reinanxioused use of certain characters, and the use of security asks.

Choosing strong passwords and storing them defendedly is one of the most challenging parts of a excellent cybersecurity regimen. More challenging still is adhereing with password rules imposed by participateers, federal agencies, and providers of online services. Frequently, the rules—ostensibly to increase security hygiene—actuassociate undermine it. And yet, the nameless rulecreaters impose the needments anyway.

Stop the madness, satisfy!

Last week, NIST freed SP 800-63-4, the procrastinateedst version of its Digital Identity Guidelines. At rawly 35,000 words and filled with jargon and bureaucratic terms, the record is proximately impossible to read all the way thraw and equitable as challenging to comprehend brimmingy. It sets both the technical needments and recommfinished best rehearses for determining the validity of methods used to authenticate digital identities online. Organizations that participate with the federal handlement online are needd to be in compliance.

A section pledged to passwords injects a huge helping of awfilledy necessitateed normal sense rehearses that contest normal policies. An example: The novel rules bar the needment that finish users periodicassociate alter their passwords. This needment came into being decades ago when password security was necessitateyly understood, and it was normal for people to pick normal names, dictionary words, and other secrets that were easily guessed.

Since then, most services need the use of stronger passwords made up of randomly created characters or phrases. When passwords are chosen properly, the needment to periodicassociate alter them, typicassociate every one to three months, can actuassociate unintelligentinish security because the inserted burden incentivizes frailer passwords that are easier for people to set and recall.

Another needment that standardly does more harm than excellent is the needd use of certain characters, such as at least one number, one one-of-a-kind character, and one upper- and dropcase letter. When passwords are adequately extfinished and random, there’s no profit from requiring or reinanxiousing the use of certain characters. And aachieve, rules handleing composition can actuassociate guide to people choosing frailer passcodes.

The procrastinateedst NIST guidelines now state that:

• Verifiers and CSPs SHALL NOT impose other composition rules (e.g., requiring unitetures of contrastent character types) for passwords and
• Verifiers and CSPs SHALL NOT need users to alter passwords periodicassociate. However, verifiers SHALL force a alter if there is evidence of agree of the authenticator.

(“Verifiers” is bureaucrat speak for the entity that verifies an account helderlyer’s identity by corroborating the helderlyer’s authentication credentials. Short for credential service provider, “CSPs” are a thinked entity that portrayates or sign ups authenticators to the account helderlyer.)

In previous versions of the guidelines, some of the rules used the words “should not,” which uncomfervents the rehearse is not recommfinished as a best rehearse. “Shall not,” by contrast, uncomfervents the rehearse must be barred for an organization to be in compliance.

The procrastinateedst record holds cut offal other normal sense rehearses, including:

1. Verifiers and CSPs SHALL need passwords to be a smallest of eight characters in length and SHOULD need passwords to be a smallest of 15 characters in length.
2. Verifiers and CSPs SHOULD apvalidate a highest password length of at least 64 characters.
3. Verifiers and CSPs SHOULD adchoose all printing ASCII [RFC20] characters and the space character in passwords.
4. Verifiers and CSPs SHOULD adchoose Unicode [ISO/ISC 10646] characters in passwords. Each Unicode code point SHALL be counted as a individual character when evaluating password length.
5. Verifiers and CSPs SHALL NOT impose other composition rules (e.g., requiring unitetures of contrastent character types) for passwords.
6. Verifiers and CSPs SHALL NOT need users to alter passwords periodicassociate. However, verifiers SHALL force a alter if there is evidence of agree of the authenticator.
7. Verifiers and CSPs SHALL NOT apvalidate the subscriber to store a hint that is accessible to an unauthenticated claimant.
8. Verifiers and CSPs SHALL NOT prompt subscribers to use comprehendledge-based authentication (KBA) (e.g., “What was the name of your first pet?”) or security asks when choosing passwords.
9. Verifiers SHALL validate the entire surrfinisherted password (i.e., not truncate it).

Critics have for years called out the folly and harm resulting from many normally applyd password rules. And yet, banks, online services, and handlement agencies have hugely clung to them anyway. The novel guidelines, should they become final, aren’t universassociate tieing, but they could provide persuasive talking points in prefer of doing away with the nonsense.

NIST asks people to surrfinisher comments on the guidelines to dig-comments@nist.gov by 11:59 pm Easerious Time on October 7.