Out with the “old” – in with the “new”: In response to recent trends in password attacks, NIST is considering changing their standards on password management.
Essentially NIST considers password AuthN (“Authentication”) to be a vulnerability (!). They have even registered a vulnerability in the NVD data base!
It was pointed out that even a 12-16 character pwd with recommended entropy will typically be cracked in 10-15 min.
The overall goals of the new standard are:
· To make passwords easier for users to use by dropping entropy and expiration req’ts.
· To drive passwords to be used only for the following:
o Protect low risk (ie “worthless”) assets only
o Provide a simple way for a user to regain access to something the user has already accessed
· Push all other AuthN to 2FA (“Two-factor AuthN”).
Summary of new password standard
The following summarizes the current draft version new password standard:
· · If pwd is chosen by user:
o 8-64 characters in length
o Pwd should be compared with a blacklist of unacceptable pwds: pwds from prev breaches, dictionary words, context-specific words.
o No complexity req’t (!)
o ASCII or Unicode printable characters plus space (which may be removed before verification)
o No truncation permitted
o No “hints” given to unauthenticated users eg “name of your 1st pet”
o Passwords do not expire (unless there is evidence of a breach)
o Option to display the password entered. Automatically hides the pwd after timeout.
· If randomly chosen and given to user:
o 6 character
o Can be entirely numeric
· Pwds should be salted and stored with approved hash fn such as PBKDF2
o Salts: at least 32 bits
o At least 10K iterations of the hash algorithm
This section gives some relevant links.
Currently the 4 draft NIST standards are on GitHub for public comment:
Some articles discussing the change: