NIST proposes barring some of the most nonsensical password rules
'The National Institute of Standards and Technology (NIST), the federal body that sets technology standards for governmental agencies, standards organizations, and private companies, has proposed barring some of the most vexing and nonsensical password requirements. Chief among them: mandatory resets, required or restricted use of certain characters, and the use of security questions. Choosing strong passwords and storing them safely is one of the most challenging parts of a good cybersecurity regimen. More challenging still is complying with password rules imposed by employers, federal agencies, and providers of online services. Frequently, the rules—ostensibly to enhance security hygiene—actually undermine it. And yet, the nameless rulemakers impose the requirements anyway. [...] 1. Verifiers and CSPs SHALL require passwords to be a minimum of eight characters in length and SHOULD require passwords to be a minimum of 15 characters in length. 2. Verifiers and CSPs SHOULD permit a maximum password length of at least 64 characters. 3. Verifiers and CSPs SHOULD accept all printing ASCII [RFC20] characters and the space character in passwords. 4. Verifiers and CSPs SHOULD accept Unicode [ISO/ISC 10646] characters in passwords. Each Unicode code point SHALL be counted as a single character when evaluating password length. 5. Verifiers and CSPs SHALL NOT impose other composition rules (e.g., requiring mixtures of different character types) for passwords. 6. Verifiers and CSPs SHALL NOT require users to change passwords periodically. However, verifiers SHALL force a change if there is evidence of compromise of the authenticator. 7. Verifiers and CSPs SHALL NOT permit the subscriber to store a hint that is accessible to an unauthenticated claimant. 8. Verifiers and CSPs SHALL NOT prompt subscribers to use knowledge-based authentication (KBA) (e.g., “What was the name of your first pet?”) or security questions when choosing passwords. 9. Verifiers SHALL verify the entire submitted password (i.e., not truncate it).' -- source: https://arstechnica.com/security/2024/09/nist-proposes-barring-some-of-the-m... Cheers, Peter
On Thu, 26 Sep 2024 10:47:37 +1200, Peter Reutemann quoted:
4. Verifiers and CSPs SHOULD accept Unicode [ISO/ISC 10646] characters in passwords. Each Unicode code point SHALL be counted as a single character when evaluating password length.
The original document <https://pages.nist.gov/800-63-4/sp800-63b.html#password> clarifies this a bit more: If Unicode characters are accepted in passwords, the verifier SHOULD apply the normalization process for stabilized strings using either the NFKC or NFKD normalization defined in Sec. 12.1 of Unicode Normalization Forms [UAX15]. This process is applied before hashing the byte string that represents the password. Subscribers choosing passwords that contain Unicode characters SHOULD be advised that some endpoints may represent some characters differently, which would affect their ability to authenticate successfully. In other words, maybe stay away from those Zalgo-text passwords ...
8. Verifiers and CSPs SHALL NOT prompt subscribers to use knowledge-based authentication (KBA) (e.g., “What was the name of your first pet?”) or security questions when choosing passwords.
I didn’t see any recommendation for what else to do if the user forgets their password.
9. Verifiers SHALL verify the entire submitted password (i.e., not truncate it).'
You’d think this would go without saying ... apparently not.
participants (2)
-
Lawrence D'Oliveiro -
Peter Reutemann