Something,"Don't change it regularly" NIST releases second public draft of password policy guidelines There are articles and tweets like this circulating, and it seems like the ban on periodic password changes is a new thing, but I'd like to point out that it was already in the NIST SP2017-6 800rd Edition published in June 63. It's not a new thing. The same goes for the restrictions on the character composition of passwords.
According to the NIST SP 800-63B-4 2pd guidelines, password requirements include:
- LengthPasswords must be at least 8 characters long, with a recommended minimum length of 15 characters. The maximum password length must be at least 64 characters.
- Accepting letters: Should accept ASCII printing characters, space characters, and Unicode characters. Unicode code points count as one character when assessing password length.
- Configuration Rules: There should be no composition rules imposed, such as mixing specific character types.
- Banned List: Comparisons must be made against commonly used, expected, or leaked passwords. Comparisons must be made on the entire password, not on substrings.
- save: They should be stored using a proper password hashing scheme with salt and hash.
- Change and ComplexityDo not require periodic password changes, but require a change when a password compromise is detected.
- ConvenienceProvide guidance on choosing strong passwords and inform users if their password is rejected7.
These guidelines strike a balance between security and user convenience.
Furthermore, for systems with medium or higher risk, passwords alone are not sufficient; AAL2 requires:
Authentication device managementRequires a high degree of confidence that the claimant has control of one or more authentication devices tied to the subscriber account. Proof of possession and control of two distinct authentication factors is required through a secure authentication protocol.
encryption: Approved encryption techniques must be used. Authenticators used at AAL2 must be approved encryption authenticators.
Replay AttackProtection from: At least one authenticator used at AAL2 must be resistant to replay attacks.
Authenticated Channels: Communication between claimants and verifiers must occur over one or more authenticated protected channels.
Use of BiometricsIf biometric factors are used, they must meet certain performance requirements.
Phishing Resistant: Verifiers must offer at least one anti-phishing authentication option, and federal agencies must require employees, contractors, and partners to use anti-phishing authentication to access federal information systems.
What is noteworthy as a new feature is the "phishing resistance." In effect, it would be correct to see this as a prohibition on not only password-only but also password + OTP.