The National Institute of Standards and Technology (NIST) recently released updates in Special Publication 800-63-4, which addresses digital identity guidelines critical for both governments and non-profits. As the landscape of cybersecurity keeps evolving, these updates are crucial for establishing secure and user-friendly digital identity systems.
NIST is no longer recommending using a mixture of character types in passwords or regularly changing passwords as these efforts have resulted in the creation of weaker passwords. NIST recommends that passwords be changed in instances of security breaches only. Wording for certain guidelines has been changed from “should not” as a suggestion, to “shall not”, now making these measures a requirement for federal agencies and contractors and a best practice for all organizations.
Some new recommendations for password security are:
- Credential Service Providers (CSP) (third party authenticators) shall require passwords to be a minimum of eight characters in length and should require passwords to be a minimum of 15 characters in length.
- CSPs should allow passwords to be a maximum of at least 64 characters.
- CSPs should allow ASCII (American Standard Code for Information Interchange) to be used in passwords. ASCII represents characters and text in computers and other devices. Unicode characters (standardized symbols that represent text/data across different languages, such as the infinity symbol, currency symbols, and other special characters) are also allowed to be included in passwords.
Other key changes in SP 800-63-4:
- SP 800-63-4 suggests a risk-based framework. This allows organizations to tailor their authentication methods based on the potential impact of unauthorized access as follows
- Level 1: No identity proofing required. This level is suitable for low-risk transactions.
- Level 2: Some identity proofing is required. This level is recommended for moderate-risk transactions and may include mechanisms such as knowledge-based questions or SMS-based verification.
- Level 3: Strong identity proofing is required. This level is necessary for high-risk transactions and will involve multi-factor authentication (MFA) methods.
If you have any questions about these new password guidelines, please contact a member of your audit team.