Summary of NIST Recommendations for Passwords
Recommendations for memorized Secrets
Recommendations for Users
Dos
- The password should have at least 8 characters (the longer, the better)
Don'ts
- Do not impose complexity requirements
- Do not impose a maximum password length (permit at least up to 64 characters)
- Do not impose periodical password changes
Recommendations for Password Verifiers
- allow all printing ASCII characters
- do not truncate the secret
- do not provide/allow password hints
- reject prospective secrets that ...
- were used in previous breaches
- contain dictionary words
- contain repetitive or sequential patterns
- contain context-specific words like user name, service name etc.
- provide a password strength meter
- provide login rate limiting
- allow password paste (encourage password managers)
- offer an option to display the password being typed in (encourage long passwords)
- secrets must be stored salted (salt>32bits) and hashed (SHA-3, HMAC, CMAC, ...)
- In addition, an additional salt/hash operation should be performed with a secret salt
References
- NIST SP 800-63B Digital Identity Guidelines - Authentication and Lifecycle Management, June 2017: https://pages.nist.gov/800-63-3/sp800-63b.html
- REFEDS: SFA Minimum Requirements specification
- Choosing secure passwords