NIST standards proposal looks to retire outdated authentication requirements like mandatory password resets

That makes sense: What's more aggravating than having to change your password periodically? I worked for one company that required it every three months, plus they had all these other rules about what the password could and could not contain. Standard regulators now declare that most credential rules are obsolete and unnecessary.

The National Institute of Standards and Technology (NIST) has proposed new credential standards it wishes to adopt. The second draft of Special Publication 800-63-4 is posted to the NIST website, awaiting public feedback on the suggested password and authentication guidelines.

The outline of standards is no-nonsense but flies in the face of the annoying password regimen many companies and agencies employ. Some examples include mandating password resets, limiting character usage, requiring certain character combinations, and using security questions. These requirements are largely unnecessary. They are outdated relics, hailing from a time when the internet was still new, and most people didn't understand proper security hygiene.

Encourage your loved ones to change passwords often, making them long, strong, and unique. More tips: https://t.co/VhTCLCdf9j. #ChatSTC

– FTC (@FTC) January 27, 2016

As Microsoft indicated in its 2019 Security Baseline, many of these rules actually promote bad security hygiene. For example, requiring employees to change their passwords frequently encourages them to use weaker passwords that are easier to remember or create, and therefore, easier to crack. The FTC agrees.

The same goes for rules that call for character specifics, such as "passwords must contain at least eight characters with a minimum of one uppercase and lowercase letter, one special symbol (like punctuation), and at least one numeral." These tight restrictions tend to lead people to use passwords like BigToe@1 (a former coworker actually used that one).

While anybody is free to read and comment on SP 800-63-4, it is a challenging and long read, thanks to all the bureaucratic lingo and lengthy explanations. It's so loaded that the organization felt it was necessary to devote a section to defining the meanings the words "shall, shall not," "should," "should not," and other simple terms. The document basically boils down to nine requirements and suggestions.

Password verifiers or verification service providers:

1. Shall require passwords to be a minimum of eight characters, but should require a minimum of 15 characters.
2. Should permit a maximum password length of at least 64 characters.
3. Should accept all printing ASCII characters and the space character in passwords.
4. Should accept Unicode characters in passwords. Each Unicode code point shall be counted as a single character when evaluating password length.
5. Shall not impose other composition rules (e.g., requiring mixtures of different character types) for passwords.
6. Shall not require users to change passwords periodically. However, verifiers shall force a change if there is evidence of compromise of the authenticator.
7. Shall not permit the subscriber to store a hint that is accessible to an unauthenticated claimant.
8. Shall not prompt subscribers to use knowledge-based authentication (KBA) (e.g., "What was the name of your first pet?") or security questions when choosing passwords.
9. Shall verify the entire submitted password (i.e., not truncate it).

Rule eight is quite sensible considering the lunacy of the assumption that hackers couldn't know or figure out a target's high school mascot or a maiden name. However, number seven seems like a Catch-22. You can only see your password hint if you are authenticated, but you can't be authenticated if you can't remember your password without the hint. Other than that, the guidelines seem like common sense, which I find lacking in general these days.

The NIST governs standards within the government and has no enforcement authority over private companies. For example, it ensures that all fire hydrants use standardized fittings and deliver the same amount of water no matter where you go, as well as standards for maintenance.

Generally, only government agencies and companies or organizations that deal directly with the government are held to these rules. For instance, the IRS must adopt NIST guidelines, but Meta can ignore them. That said, many NIST standards trickle down to private organizations within the industries that the rules apply. The NIST Cybersecurity Framework is a good example.