Password Authentication

SWITCH edu-ID Password Policy

SWITCH edu-ID passwords must meet the following requirements:

  • Minimum length: The password must consist of at least 12 characters.
  • Complexity: Depending on the length of the password, several character classes must be used (lower case character, upper case characters, digits, punctuation symbols). Long passwords can be in lower case only.
  • Patterns: The password must not contain repetitive characters (e.g. "aaaa", "1111"), sequences (e.g. "1234", "abcde") and common keyboard patterns (e.g. "qwertz", "asdf")
  • Leaked passwords: Passwords must not be in the Have I been Pwned Passwords database that contains billions of leaked passwords. The passwords are securely checked via k-anonymity API.

Notes:

  • The password requirements for the edu-ID exceed the NIST recommendations.
  • The Swiss Internet Security Alliance recommendations have been adopted where they exceed the NIST recommendations.
  • The edu-ID password policy was presented to and approved by the Switch ISMS working group on Sept 22nd 2021.

Recommendations to Users of SWITCH edu-ID

We primarly recommend to use passwordless login with Passkeys. For users who prefer password-based authentication we recommend:

 

 

Summary of NIST Recommendations for Passwords

Recommendations of NIST Special Publication 800-63B for memorized Secrets (last updated October 2023).

Recommendations for Users

Dos

  • The password should have at least 8 characters (the longer, the better)

Don'ts

  • Do not impose complexity requirements
  • Do not impose a maximum password length (permit at least up to 64 characters)
  • Do not impose periodical password changes

Recommendations for Password Verifiers

  • allow all printing ASCII characters
  • do not truncate the secret
  • do not provide/allow password hints
  • reject prospective secrets that ...
    • were used in previous breaches
    • contain dictionary words
    • contain repetitive or sequential patterns
    • contain context-specific words like user name, service name etc.
  • provide a password strength meter
  • provide login rate limiting
  • allow password paste (encourage password managers)
  • offer an option to display the password being typed in (encourage long passwords)
  • secrets must be stored salted (salt>32bits) and hashed (SHA-3, HMAC, CMAC, ...)
  • In addition, an additional salt/hash operation should be performed with a secret salt

References