NIST proposes banning some of the most nonsensical password rules

The National Institute of Standards and Technology (NIST), the federal body that sets technology standards for government agencies, standards organizations and private companies, has proposed banning some of the most annoying and nonsensical password requirements. Chief among them: mandatory resets, required or restricted use of certain characters and the use of security questions.

Choosing strong passwords and storing them securely is one of the most challenging parts of a good cybersecurity regime. Even more challenging is complying with password regulations imposed by employers, federal agencies, and online service providers. Often, the regulations, ostensibly designed to improve security hygiene, actually undermine it. And yet, the unnamed regulators impose the requirements anyway.

Please stop this madness!

Last week, NIST released SP 800-63-4, the latest version of its Digital Identity Guidelines. At approximately 35,000 words and filled with jargon and bureaucratic language, the document is nearly impossible to read in its entirety and equally difficult to fully understand. It establishes both technical requirements and recommended best practices for determining the validity of methods used to verify digital identities online. Organizations that interact with the federal government online must comply.

A section devoted to passwords injects a large dose of much-needed common sense practices that challenge common policies. For example, the new rules ban the requirement that end users periodically change their passwords. This requirement originated decades ago when password security was poorly understood and it was common for people to choose common names, dictionary words, and other secrets that were easy to guess.

Since then, most services have begun requiring the use of stronger passwords consisting of randomly generated characters or phrases. When passwords are chosen well, the requirement to change them periodically, typically every one to three months, can actually reduce security, as the added burden encourages weaker passwords that are easier for people to create and remember.

Another requirement that often does more harm than good is the requirement to use certain characters, such as at least one number, one special character, and one uppercase and lowercase letter. When passwords are sufficiently long and random, there is no benefit to requiring or restricting the use of certain characters. And again, composition rules can actually lead people to choose weaker passwords.

The latest NIST guidelines now state the following:

• Authenticators and CSPs MUST NOT impose other composition rules (e.g. requiring mixtures of different character types) for passwords and
• Verifiers and CSPs MUST NOT require users to periodically change their passwords. However, verifiers MUST enforce a change if there is evidence of a breach of the authenticator.

(“Verifiers” is a bureaucratic term for the entity that verifies an account holder's identity by confirming the holder's authentication information. Short for credential service provider, “CSPs” are a trusted entity that assigns or registers authenticators to the account holder.)

In previous versions of the guidelines, some rules used the words “should not,” meaning that the practice is not recommended as a best practice. “Shall not,” on the other hand, means that the practice must be prohibited in order to comply with an organization's rules.

The latest document includes a number of other healthy practices, including:

1. Verifiers and CSPs SHALL require passwords to be at least eight characters long and SHOULD require passwords to be at least 15 characters long.
2. Verifiers and CSPs SHOULD allow a maximum password length of at least 64 characters.
3. Verifiers and CSPs SHOULD accept all ASCII printouts [RFC20] characters and the space character in passwords.
4. Verifiers and CSPs SHOULD Accept Unicode [ISO/ISC 10646] characters in passwords. Each Unicode code point SHALL are counted as a single character when evaluating password length.
5. Verifiers and CSPs WILL NOT impose other password composition rules (for example, requiring a combination of different character types).
6. Verifiers and CSPs WILL NOT require users to change their passwords periodically. Verifiers SHALL force a change if there is evidence of an authenticator breach.
7. Verifiers and CSPs WILL NOT allow the subscriber to store a hint that can be accessed by an unauthenticated requester.
8. Verifiers and CSPs WILL NOT Encourage subscribers to use knowledge-based authentication (KBA) (e.g., “What was the name of your first pet?”) or security questions when choosing passwords.
9. Verifiers SHALL Check the full password you entered (do not truncate it).

Critics have for years decried the folly and harm of many widely enforced password policies. And yet banks, online services, and government agencies have largely stuck to them. The new guidelines, if they become final, would not be universally binding, but they could provide a compelling argument for doing away with the nonsense.

NIST invites people to submit comments on the guidelines to [email protected] by 11:59 p.m. Eastern Time on Oct. 7.