While we often discuss examples of poor password requirements, it's also useful to consider a sample set of good requirements and practices. NIST Special Publication 800-63, which defines authentication requirements for Federal Government agencies, is currently being revised and seeks to establish requirements that are aligned with current understanding of threats and user behavior. This talk will discuss the rationale for these changes and opportunities for comment.
As authentication threats have evolved and we have learned more about user behavior, what were considered best practices several years ago are no longer current. For this reason, guidance on user authentication needs periodic revision. NIST Special Publication 800-63, which sets technical requirements for authentication and identity proofing by the Federal Government, is currently in the process of such a revision.
SP 800-63B, subtitled "Authentication and Lifecycle Management", is a new
document dealing specifically with user authentication. It changes the
requirements for memorized secrets (passwords) in several ways:
- Emphasis on long, memorable passwords
- No use of composition rules
- No hints and prompts (name of first pet, etc.)
- Use of dictionary of compromised passwords to disallow poor choices
- No arbitrary (e.g., periodic) password changes
Beyond the realm of passwords per se, SP 800-63B also clarifies and strengthens the requirements for two-factor authentication and account recovery. The use of SMS (text messaging) as an out-of-band authentication mechanism has been deprecated due to security issues that have been seen with this technique. Requirements for account recovery have also been strengthened, in an effort to avoid having account recovery act as an authentication back door, particular for two-factor authentication.
Jim Fenton is a consultant and researcher with a focus on user-centric identity, messaging, and Internet privacy and security issues. His primary consulting focus is currently in the area of user authentication standards, currently supporting the National Institute of Standards and Technology (NIST). He is an active participant in the Identity Ecosystem Steering Group and is an advisor to Disconnect, a maker of Internet privacy tools. Previously, Jim was Chief Security Officer at OneID and a Distinguished Engineer at Cisco, where he focused on issues affecting trust in the Internet. He is an author of RFC 4871 (DomainKeys Identified Mail, DKIM), RFC 4686 (DKIM threat analysis), and RFC 5617 (DKIM Author Domain Signing Practices).