It is important to note that while some user dependant passwords elements are being simplified by these NIST standards, the control nexus is moved from users to the system with additional controls and control sets being required.
It is vital that security postures are not weakened by simply removing password complexity and associated rules without implementing the additional new system controls.
In summary the recent NIST guidance has the potential to make password policies more “user friendly” but relies on increasing the authentication and verification controls moving to multi-factor authentication and stronger identity access management.
More specifically the new NIST standards include:
- Remove periodic password change requirements, except where a known compromise has taken place;
- Reduce password complexity requirements;
- Mandate screening of new passwords against lists of commonly used or compromised passwords, suggested minimum size database of 10k (preferably more) common passwords;
- Remove password hints, increase password length to accommodate pass-phrases (suggested max 64 chars);
- Knowledge based authentication is removed (e.g. dog’s name, first school etc.);
- Passwords are stored securely including being salted (32 bits or more), hashed (HMAC using SHA-2/3), and “stretched” (such as PBKDF2 with at least 10k iterations);
- 2FA is required;
- SMS is no longer an acceptable form of 2FA;
- The requirement for M2M authentication is increasing;
- Other authentication requirements are strengthened.