Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Password policy
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
==NIST guidelines== The United States Department of Commerce's [[National Institute of Standards and Technology]] (NIST) has put out two standards for password policies which have been widely followed. ===2004=== From 2004, the "NIST Special Publication 800-63. Appendix A,"<ref>{{cite web |title=Electronic Authentication Guideline |url=https://csrc.nist.gov/CSRC/media/Publications/sp/800-63/ver-10/archive/2004-06-30/documents/sp800-63-v1-0.pdf |website=nist.gov |publisher=USG |accessdate=9 April 2020}}</ref> advised people to use irregular capitalization, special characters, and at least one numeral. This was the advice that most systems followed, and was "baked into" a number of standards that businesses needed to follow. ===2017=== However, in 2017 a major update changed this advice, particularly that forcing complexity and regular changes is now seen as bad practice.<ref>{{cite news |last1=Statt |first1=Nick |title=Best practices for passwords updated after original author regrets his advice |url=https://www.theverge.com/2017/8/7/16107966/password-tips-bill-burr-regrets-advice-nits-cybersecurity |accessdate=9 April 2020 |work=The Verge |date=7 August 2017}}</ref><ref name=sp800-63B>{{cite book | title = SP 800-63B-3 β Digital Identity Guidelines, Authentication and Lifecycle Management | publisher = NIST | date = June 2017 | doi=10.6028/NIST.SP.800-63b | author=Grassi Paul A.}} {{PD-notice}}</ref>{{rp|5.1.1.2}} The key points of these are: * Verifiers ''shall not'' impose composition rules (e.g., not require mixtures of different character types and not prohibit consecutively repeated characters) (note that this was changed in revision 4 from ''should not'' to ''shall not'')<ref name=sp800-63B-4>{{cite web| title = SP 800-63B-4 β Digital Identity Guidelines, Authentication and Lifecycle Management | publisher = NIST | date = Dec 2023 | url=https://pages.nist.gov/800-63-4/sp800-63b.html | author=<!--Not stated-->}}</ref> * Verifiers ''shall not'' require passwords to be changed arbitrarily or regularly (e.g. no 90-day or 365-day change rule) * Passwords ''must'' be at least 8 characters in length * Password systems ''should'' permit subscriber-chosen passwords at least 64 characters in length. * All printing [[ASCII]] characters, the space character, and [[Unicode]] characters ''should'' be acceptable in passwords * When establishing or changing passwords, the verifier ''shall'' advise the subscriber that they need to select a different password if they have chosen a weak or compromised password * Verifiers ''should'' offer guidance such as a password-strength meter, to assist the user in choosing a strong password * Verifiers ''shall'' store passwords in a form that is resistant to offline attacks. Passwords ''shall'' be [[Salt (cryptography)|salted]] and hashed using a suitable one-way [[key derivation function]]. Key derivation functions take a password, a salt, and a cost factor as inputs then generate a password hash. Their purpose is to make each password guessing trial by an attacker who has obtained a password hash file expensive and therefore the cost of a guessing attack high or prohibitive. NIST included a rationale for the new guidelines in its Appendix A.
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)