The Trusted Identity Group at the National Institute of Standards and Technology released on March 31, 2017 a revised version of its Special Publication 800-63B, Authentication & Lifecycle Management. Although the NIST Guidance is only intended for Federal agencies, its influence is felt throughout the IT sector. Among its recommendations, this document addresses two security myths concerning passwords and updates current best practices.
First, the Publication states that passwords "SHOULD NOT ... be changed arbitrarily (e.g., periodically) and SHOULD only require a change if the subscriber requests a change or there is evidence of compromise of the authenticator" (section 5.1.1.2).
Second, the Publication states that other a minimum length requirement "no other complexity requirements for memorized secrets SHOULD be imposed" (section 5.1.1.1) and "composition rules (e.g., mixtures of different character types)" SHOULD NOT be imposed on passwords (section 5.1.1.2).
The Publication defines:
The terms “SHOULD” and “SHOULD NOT” indicate that among several possibilities one is recommended as particularly suitable, without mentioning or excluding others, or that a certain course of action is preferred but not necessarily required, or that (in the negative form) a certain possibility or course of action is discouraged but not prohibited.- Henry Park
No comments:
Post a Comment