The National Institute of Standards and Technology (NIST) was founded in 1901 and is now part of the U.S. Department of Commerce and is one of America’s oldest physical science laboratories. NIST produces a wide range of measurements and standards, many of which are used world-wide and contribute to many advanced technologies, materials and fabrication.
NIST also produces guidelines for the system developers who create APPS needing passwords and tells them what checks should be made and what restrictions to apply.
The latest guidance on passwords is DRAFT NIST Special Publication 800-63B Digital Identity Guidelines
It says that passwords should be
- chosen by and memorable for the user.
- of sufficient complexity and secrecy that it would be impractical for an attacker to guess or otherwise discover them.
- at least 8 characters in length (unless allocated by the system in which case they should be at least 6 characters)
In the last few years, most websites needing passwords have insisted they include capital letters and numbers, but this new guidance says that’s unnecessary.
Systems shall not permit the subscriber to store a “hint” (for their password) that is accessible to an unauthenticated user.
When processing requests to establish or change passwords, systems shall compare the prospective password against a list that contains values known to be commonly-used, expected, or compromised. For example, the list may include (but is not limited to):
- Dictionary words
- Repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’)
- Context specific words, such as the name of the service, the username, and derivatives thereof.
If the chosen password is found in the list, the system shall advise the subscriber that they need to select a different secret, shall provide the reason for rejection, and shall require the user to choose a different value.
There should be a maximum number of times a user can try to input a password, and then the user should be blocked temporarily.
For some years, it became common for systems to require a password be changed every 6 or 12 months and that advice was given out many times, but this has changed. It is now recommended that systems do not require password changes. Users can choose to change their passwords whenever they wish.
Passwords are essential to access many online services and hopefully the new guidelines will enable the developers to make the process of selecting a new password easier and more secure than previously.
Do enter your email address and click on the subscribe button on top right to keep up to date with new posts.