NEW PASSWORD PROTOCOLS FROM NIST
The National Institute of Standards and Technology (NIST) has just released new guidelines for how best to deal with passwords. It is contained in their DRAFT NIST Special Publication 800-63-3 Digital Authentication Guideline <https://pages.nist.gov/800-63-3/sp800-63-3.html>
Fundamentally, the draft provides best practices to the federal government on how passwords are to be created and authenticated. This in turn becomes one of the sources of best practices for the corporate and home user. The other source of best practices is US-CERT.
While the draft is a sure cure for insomnia, the core changes are:
- Minimum password size of 8 characters, maximum of at least 64 characters.
- Note: we strongly recommend all passwords have a minimum of 15 characters, in an easy to enter, easy to remember phrase.
- Minimum PIN size of 8 characters or 6 random digits.
- Spaces may be used in passwords.
- All ASCII characters may be used in a password.
- All Unicode characters should (not must) be accepted for passwords, including emojis.
- Password hints and prompts shall not be used.
- Note: Never use a password hint. Far to easy for an attacker to find the answer to a hint through social engineering.
- 2-factor authentication via SMS is being depreciated, and may be recommended against! This is huge, as using SMS (texts to your cell phone to authenticate) may be intercepted or compromised via smartphone malware and other tactics.
- Note: It is most likely that biometrics will become the new standard for 2-factor authentication (see next).
- Biometrics shall be bound to a specific device that uses approved encryption, with a hard limit of 10 consecutive failed attempts.
More to come as the draft goes through a review process.
Passwords are only a very small part of overall security for your devices, data, and identity. Learn how to full secure your digital world with the best-selling, easiest, and most comprehensive security guides available–Practical Paranoia Security Essentials.