By Natalie Bluhm Posted March 13, 2019
NIST regulations for memorized secrets can be an important part of an IT organization’s goal to comply with federal guidelines. Many organizations are required by law to comply and many others leverage NIST’s guidance for strong security hygiene. Whatever your purview, this blog post is intended as a review of NIST SP 800-63’s guidance for memorized secrets.
What are NIST SP 800-63 Memorized Secrets?
NIST has introduced more modern password policies in its Digital Identity Guidelines with the SP 800-63 series of documents. Contained within the guidelines are their recommendations for memorized secrets or passwords (Section 5.1.1). There has been much debate in the IT security community about how passwords should be handled.
Some argue that password length is more critical, while others have argued that adding complexity to the password is a sound approach.
Complex Passwords or Longer Passwords?
While NIST does not completely settle the differing viewpoints, their recommendations steer IT organizations to leverage longer passwords without the need for complexity. Interestingly, NIST does not only rely on absolute numerical evidence – for example, how difficult a password will be to hack – but also leverages the fact that more complex passwords can be harder for users to remember. Because they are harder to remember, users end up writing them down or making them easier to remember. This ends up decreasing the security value complex passwords were supposed to have to begin with.
NIST SP 800-63 Password Recommendations
A review of NIST’s SP 800-63B guidance on password generation either by a person or system is located below:
- 8 character minimum when a human sets it
- 6 character minimum when set by a system/service
- Support at least 64 chars maximum length
- All ASCII chars (including space) should be supported
- Truncation of the secret shall not be performed when processed
- Check chosen password with known password dictionaries
- Allow at least 10 password attempts before lockout
- No complexity requirements
- No password expiration period
- No password hints
- No knowledge-based authentication (e.g. who was your best friend in high school?)
- No SMS for 2FA (use a OTP like Google Authenticator)
As you can see NIST focuses more on length than on complexity. They also have eliminated ways that passwords could be hacked or guessed via hints or knowledge of a person.
Support NIST SP 800-63 Guidelines with Cloud IAM
If you would like to put NIST’s password guidelines into effect in your organization, take a look at JumpCloud® Directory-as-a-Service® . This cloud IAM platform is an ideal way to support NIST SP 800-63 guidelines for memorized secrets. With core functionality for password requirements built into the platform, IT organizations can set requirements for user passwords based on length, complexity, age, and reuse. So it’s possible to mimic NIST guidelines by enforcing a set length, but no complexity requirements or expiration period. Or, if you would like to add to NIST’s guidelines through increased length and complexity, you have the flexibility to do that, too.
Once passwords are set within JumpCloud, they can be used to authenticate systems (Windows® , Mac® , Linux® ), cloud and on-prem servers (e.g. AWS® , GCP™ , Azure® , and on-prem), web and on-prem applications via LDAP or SAML, physical or virtual storage (e.g. Samba file servers, NAS devices, Box, etc.), and wired and WiFi networks via RADIUS. IT can efficiently manage password requirements within their organization, and strengthen identity security by utilizing a directory that can connect a user’s identity to all of their resources.
Learn More About How JumpCloud Supports NIST
If you would like to find out more about password management after reading this review of NIST SP 800-63 Memorized Secrets, drop us a note. You are also invited to start testing our identity security features by signing up for a free account. You’ll be able to explore all of our features, and your first ten users are free forever.