The National Institute of Standards and Technology (NIST) is the government agency responsible for creating industry standards that apply to a wide variety of applications in science, technology, and industry. Many organizations are subject to compliance with NIST guidelines, or use NIST guidelines to help support their electronic security efforts. For example, the NIST Special Publication 800-63 describes the latest standards, guidelines, and best practices for creating and managing digital identities – especially as it relates to identity security.
For many of these organizations, individual user passwords (referred to as “memorized secrets” in NIST parlance) is often the first line of defense against unauthorized access to IT resources.
While there has been a great deal made about password requirements, NIST has stepped up to clarify their perspective on it. If your organization is subject to NIST SP 800-63, this blog post documents how JumpCloud’s supports NIST SP 800-63 Memorized Secrets requirements.
NIST SP 800-63 Digital Identity Guidelines Summary
The NIST SP 800-63 Digital Identity Guidelines encompass a large number of issues related to identity management within an environment. Many of those issues are outside of the scope of this specific blog post, but we’ll likely address them in subsequent blog posts.
The Memorized Secrets section of the publication is available in the NIST SP 800-63B document in Section 5.1.1. Appendix A. The summary of the section and related items is below:
- 8 character minimum when set by a human.
- 6 character minimum when set by a system/service.
- Support at least 64 characters for maximum length.
- All ASCII characters (including space) should be supported.
- Truncation of the secret shall not be performed when processed.
- Check chosen password with known password dictionaries.
- Allow 10 password attempts before lockout.
- No need to institute complexity requirements.
- No need for password expiration period.
- No password hints.
- No knowledge-based authentication (e.g. who was your best friend in high school?).
- No SMS for 2FA (use a OTP like Google Authenticator).
The fundamental change in passwords that NIST is advocating is that longer passwords are better than more complex ones. One of (Read more...)
*** This is a Security Bloggers Network syndicated blog from JumpCloud authored by Vince Lujan. Read the original post at: https://jumpcloud.com/blog/jumpcloud-supports-nist-sp-800-63-memorized-secrets/