What the New NIST Guidelines Mean for Authentication
Learn about NIST's Digital Authentication Guideline and what it means for authentication security.
The US National Institute of Standards and Technology (NIST) is creating new policies for Federal agencies implementing authentication. Learn about NIST Special Publication 800-63-3: Digital Authentication Guideline and what it means for authentication security.
NIST Digital Authentication Guideline
The US National Institute of Standards and Technology (NIST) is creating new policies for Federal agencies implementing authentication.
The draft, called Special Publication 800-63-3, is available on the NIST website as well as on NIST's GitHub. The suite of documents includes the following:
800-63-3: Digital Authentication Guideline (overview)
The policies are intended for Federal agency applications, but serve as a standard for many others as well.
NIST Improved Password Requirements
The NIST Digital Authentication Guideline strives for improved password requirements. One of the guiding principles is better user experience and shifting the burden to the verifier whenever possible. In order to support the creation of passwords that users will remember while implementing excellent security, several guidelines are important:
Length: 8 character minimum, >64 character maximum
Compare new passwords to a dictionary and don't allow common, easily-guessed passwords (such as password, abc123, etc.)
Allow all printing characters + spaces
Should offer option to show password rather than dots or asterisks; helps typing accuracy
Don't enforce composition rules (ie., no "passwords must include uppercase and lowercase letters, a number...", etc.); such rules provide a poor user experience
Don't use password hints; they weaken authentication
Don't expire passwords arbitrarily; regular expiration encourages users to choose easy-to-guess, less secure passwords
Don't use Knowledge-based Authentication (KBA)
NIST Guidelines for Password Storage
NIST also supplies guidelines for the verifier's encryption and storage of passwords. These policies ensure that passwords are stored securely:
Passwords shall be hashed with 32-bit (or greater) random salt
Use approved key derivation function PBKDF2 using SHA-1, SHA-2, or SHA-3 with at least 10,000 iterations
Passwords should use keyed HMAC hash with the key stored separately
Overall, the new guidelines put the user experience at the forefront while also establishing more robust storage and authentication methods. Although the NIST Digital Authentication Guideline governs Federal sites, its tenets are good standards for any app or site with authentication. The guideline is currently in draft. When the policies are final, Federal agencies as well as many other companies and vendors will make strides to comply with the new guidelines for improved authentication security and user experience. To learn more, check out the NIST Draft 800-63-3 itself and Jim Fenton's "Toward Better Password Requirements" presentation.