The draft specification for NIST 800-63-3: Digital Authentication Guidelines is out for review.
After researching and studying the prior ‘best practices’, it was decided that it just wasn’t helping as much as people thought.
Apparently, trying to get a person to remember the password “fMf43@%HZk%$#” without writing it down wasn’t working as well as people had hoped. Who would’ve guessed…? ;)
The new focus is on user-friendly password rules. Instead of having to follow some archaic combination of character requirements (which are often fairly arbitrarily decided upon), the shift is now mostly just towards longer passwords/passphrases. The minimum is now recommended at 8-characters (which is still barely anything) and the recommended maximum is at least 64-characters… Nice!
One piece of the recommendation I appreciated was that the passwords should supports unicode characters. Maybe it won’t impact that many general users in the US, but it definitely adds extra potential difficulty for attackers trying to brute force their way into accounts…
Also, they recommend comparing the password against known bad choices and then prevent users from setting their password to that. Periodically refreshing a list of the ‘x’ most common passwords from breaches, leaks, etc. and using that for the comparison would likely satisfy that… It’s already something I felt should be a no-brainer, but I’m glad it’s now part of an official recommendation.
Additionally, passwords should be hashed, salted, and stretched.
My favorite, though, is that passwords shouldn’t be expired unless there’s valid need to do so (like evidence of compromise, user request, etc.). This couldn’t make me more happy. It drives me nuts when a site forces me to change my password every, say 90-days “because reasons”…
All in all, it’s a lot of good advice. I hope at least some of it will get adopted by more non-government sites, services, and companies.