The National Institute of Standards and Technology (NIST) is the government agency responsible for creating industry standards that apply to a wide variety of applications in science, technology, and industry. Many organizations are subject to compliance with NIST guidelines, or use NIST guidelines to help support their electronic security efforts. For example, the NIST Special Publication 800-63 describes the latest standards, guidelines, and best practices for creating and managing digital identities – especially as it relates to identity security.
For many of these organizations, individual user passwords (referred to as “memorized secrets” in NIST parlance) is often the first line of defense against unauthorized access to IT resources.
While there has been a great deal made about password requirements, NIST has stepped up to clarify their perspective on it. If your organization is subject to NIST SP 800-63, this blog post documents how JumpCloud’s supports NIST SP 800-63 Memorized Secrets requirements.
NIST SP 800-63 Digital Identity Guidelines Summary
The NIST SP 800-63 Digital Identity Guidelines encompass a large number of issues related to identity management within an environment. Many of those issues are outside of the scope of this specific blog post, but we’ll likely address them in subsequent blog posts.
The Memorized Secrets section of the publication is available in the NIST SP 800-63B document in Section 5.1.1. Appendix A. The summary of the section and related items is below:
- 8 character minimum when set by a human.
- 6 character minimum when set by a system/service.
- Support at least 64 characters for maximum length.
- All ASCII characters (including space) should be supported.
- Truncation of the secret shall not be performed when processed.
- Check chosen password with known password dictionaries.
- Allow 10 password attempts before lockout.
- No need to institute complexity requirements.
- No need for password expiration period.
- No password hints.
- No knowledge-based authentication (e.g. who was your best friend in high school?).
- No SMS for 2FA (use a OTP like Google Authenticator).
The fundamental change in passwords that NIST is advocating is that longer passwords are better than more complex ones. One of the primary reasons being that the human brain only has so much capacity to memorize complex strings of arbitrary letters, numbers, and special characters. As a result, it’s in our nature to create a something that is easy to remember, and thus, easier to crack. All things being equal, while NIST does talk about the length being better than creating more ‘entropy’ with a smaller password, in the end NIST also cited the ease of use for the end user as a factor in moving away from complex passwords and shifting to longer ones.
How JumpCloud Supports NIST SP 800-63
JumpCloud’s Directory-as-a-Service® platform can be valuable tool in meeting NIST requirements as IT organizations move to support NIST’s memorized secrets guidance. JumpCloud’s native password management capabilities enable IT admins to configure their own requirements which can mimic those from NIST 800-63. For example, IT admins have full control over password length, complexity (or lack thereof), number of password attempts before lockout, and checking of previous passwords. Password expiration can be set or disabled and the cloud directory does not use password hints. For MFA or 2FA services, JumpCloud’s virtual identity provider integrates with TOTP service such as Google Authenticator as suggested by NIST.
The benefit for IT is that memorized secrets or passwords that are in compliance with NIST 800-63 guidelines can then be leveraged to authenticate user identities for the breadth of an organization’s IT resources. The benefit for end users is they can enjoy a True Single Sign-On™ experience while assured their passwords are in compliance with NIST standards. JumpCloud takes security very seriously, which is why NIST 800-83 compliant passwords in combination with the other secure protocols leveraged by Directory-as-a-Service can help to elevate IT security in your organization to the next level.
In short, if your organization is looking to support NIST’s memorized secrets guidelines from the SP 800-63B document, Directory-as-a-Service can help. Sign up or schedule a free demo today to see how.
This is a Security Bloggers Network syndicated blog post authored by Vince Lujan. Read the original post at: JumpCloud