Password Authentication
SWITCH edu-ID Password Policy
SWITCH edu-ID passwords must meet the following requirements:
- Minimum length: The password must consist of at least 12 characters.
- Complexity: Depending on the length of the password, several character classes must be used (lower case character, upper case characters, digits, punctuation symbols). Long passwords can be in lower case only.
- Patterns: The password must not contain repetitive characters (e.g. "aaaa", "1111"), sequences (e.g. "1234", "abcde") and common keyboard patterns (e.g. "qwertz", "asdf")
- Leaked passwords: Passwords must not be in the Have I been Pwned Passwords database that contains billions of leaked passwords. The passwords are securely checked via k-anonymity API.
Notes:
- The password requirements for the edu-ID exceed the NIST recommendations.
- The Swiss Internet Security Alliance recommendations have been adopted where they exceed the NIST recommendations.
- The edu-ID password policy was presented to and approved by the Switch ISMS working group on Sept 22nd 2021.
Recommendations to Users of SWITCH edu-ID
We primarly recommend to use passwordless login with Passkeys. For users who prefer password-based authentication we recommend:
- Use a password manager (like Bitwarden, LastPass, PassSafe, 1Password or KeePass)
- Choose a long password, e.g using the hints on the iBarry web page.
- Don't re-use a password across multiple websites
- Activate Two-Step Login (multi factor authentication)
Summary of NIST Recommendations for Passwords
Recommendations of NIST Special Publication 800-63B for memorized Secrets (last updated October 2023).
Recommendations for Users
Dos
- The password should have at least 8 characters (the longer, the better)
Don'ts
- Do not impose complexity requirements
- Do not impose a maximum password length (permit at least up to 64 characters)
- Do not impose periodical password changes
Recommendations for Password Verifiers
- allow all printing ASCII characters
- do not truncate the secret
- do not provide/allow password hints
- reject prospective secrets that ...
- were used in previous breaches
- contain dictionary words
- contain repetitive or sequential patterns
- contain context-specific words like user name, service name etc.
- provide a password strength meter
- provide login rate limiting
- allow password paste (encourage password managers)
- offer an option to display the password being typed in (encourage long passwords)
- secrets must be stored salted (salt>32bits) and hashed (SHA-3, HMAC, CMAC, ...)
- In addition, an additional salt/hash operation should be performed with a secret salt
References
- NIST SP 800-63B Digital Identity Guidelines - Authentication and Lifecycle Management, June 2017: https://pages.nist.gov/800-63-3/sp800-63b.html
- REFEDS: SFA Minimum Requirements specification
- Choosing secure passwords