JumpCloud Supports NIST SP 800-63 Memorized Secrets

Written by Zach DeMeyer on September 20, 2020

Share This Article

The National Institute of Standards and Technology Special Publication (NIST SP) 800-63 is the modern standard for Digital Identity Guidelines. Many organizations are subject to NIST guidelines for compliance or generally use NIST guidelines to help support their digital security posture. 

If your organization is subject to NIST SP 800-63, this blog post documents how the JumpCloud directory platform supports those requirements, specifically regarding passwords, or “memorized secrets” in NIST terminology.

What’s Required Under NIST SP 800-63?

The NIST SP 800-63 Digital Identity Guidelines encompass a large number of issues related to identity management within an environment. Many of those issues are outside the scope of this specific blog post, but we’ll address them in subsequent blog posts.

NIST SP 800-63B Memorized Secret Guidelines

The Memorized Secrets section of the publication is available in the NIST SP 800-63B document in Section 5.1.1. A summary of the section and its related items is below:

  • 8 character minimum when a human sets it
  • 6 character minimum when set by a system/service
  • Support at least 64 character maximum length
  • All ASCII characters (including space) should be supported
  • Truncation of the secret shall not be performed when processed
  • Check chosen password with known password dictionaries
  • Allow at least 10 password attempts before lockout
  • No complexity requirements
  • No password expiration period
  • No password hints
  • No knowledge-based authentication (e.g. who was your best friend in high school?)
  • No SMS-based two-/multi-factor authentication (2FA/MFA)

The fundamental change to memorized secrets that NIST advocates now is that longer passwords are preferred over more complex ones. This is largely due to the fact that if a password is complex but shorter than NIST guidelines, there is a greater possibility it can be cracked through random generation. Beyond this, NIST also cites that longer passwords are easier for end users to remember than more complex ones.

How Does JumpCloud Support NIST SP 800-63?

As IT organizations move to support NIST’s memorized secrets guidance, JumpCloud’s cloud directory platform can be a valuable tool in meeting these requirements. JumpCloud is a comprehensive cloud directory platform to manage user identities, access, and devices. 

For example, JumpCloud allows IT admins to configure their organization’s password policies to meet the requirements laid out by NIST 800-63. IT admins have full control over password length, complexity, number of password attempts before lockout, and previous passwords. Password expiration can be set or disabled, and the cloud directory does not use password hints. 

IT admins can employ the JumpCloud platform to enforce MFA/2FA across their devices, applications, infrastructure, and VPNs through RADIUS. TOTP services such as Google Authenticator, Duo Security’s push notification-based MFA, and universal second factor keys through WebAuthn, are the sole methods for MFA/2FA with JumpCloud. 

Try JumpCloud Free

If your organization needs to support NIST’s memorized secrets guidelines from the SP 800-63B document, please give our cloud directory platform a try. Your first 10 users and systems in the platform are completely free, and you can employ 24×7 live chat support in your first 10 days to help get you started.

Zach DeMeyer

Zach is a Product Marketing Specialist at JumpCloud with a degree in Mechanical Engineering from the Colorado School of Mines. He loves being on the cutting edge of new technology, and when he's not working, he enjoys all things outdoors, music, and soccer.

Continue Learning with our Newsletter