NIST Updated Guidance on Memorized Secret Verifiers (Passwords)

Originally published at: https://brian.carnell.com/articles/2021/nist-updated-guidance-on-memorized-secret-verifiers-passwords/

The National Institute of Standards and Technology recently released NIST Special Publication 800-63B: Digital Identity Guidelines, which includes updated guidance on password requirements (which NIST refers to as “memorized secret verifiers”). The highlights include: a) not requiring users to choose new passwords based on arbitrary time limits; b) disallowing passwords that have appeared in known breaches; and c) ditching most of the silly password composition requirements (one popular service I use, for example, won’t allow you to end a password with a number). NIST also recommends allowing users to create passwords up to 64 characters long. It would be nice to see that recommendation be widely adopted. Personally, I’m tired of banks and credit card companies that limit me to arbitrarily small passwords of 16 to 20 characters depending on the institution. 5.1.1.2 Memorized Secret VerifiersVerifiers SHALL require subscriber-chosen memorized secrets to be at least 8 characters in length. Verifiers…