Pub. 8 2019 Issue 3

The CommunityBanker 18 B A N K B Y T E S A ccount passwords are required for security and ac- countability but are often despised by users that must remember them and network administrators that must reset them when users ultimately forget after a long weekend or a donut-infused sugar coma. While recommendations have changed slightly over the years, the base settings remain the same: sufficient length to prevent easy guessing or cracking (currently around 14 characters), complexity levels to discourage the use of names and dictionary words (3 of 4 types of characters – uppercase, lowercase, numbers, or special characters), and password change cycles to force new passwords that are fully up-to-date with policy settings and not used anywhere else (30 – 90 days, typically). Problems arise, however, when users aren’t trained to rely on easy to remember passphrases such as “Passwords are lame!” but instead cling to the traditional “P@ssword01!” nonsense words that are difficult to remember, especially if users are correctly instructed to not write them down and the organization has not implemented password managers. The problem seems to worsen the more often passwords are changed. To address these issues, the National Institute of Standards and Technology (NIST) released Special Publica- tion 800-63B . Now, before the happy dance starts and password policies are updated to never require a change or enforce complexity, be aware that 800-63B contains recommendations, indicated by “should” and “should not,” as well as strict requirements, reflected by the use of “shall” and “shall not.” In other words, there are loose guidelines, much like the “code” in the much loved first Pirates of the Caribbean movie (we won’t mention the others), and rules that must be abided by for the standard to be met. Research into the recommendations will be left to the reader, but some of the important requirements are listed below (emphasis NIST): • Verifiers SHALL require subscriber-chosen memo - rized secrets to be at least 8 characters in length. • Memorized secret verifiers SHALL NOT permit the subscriber to store a “hint” that is accessible to an un- authenticated claimant. Verifiers SHALL NOT prompt subscribers to use specific types of information (e.g., “What was the name of your first pet?”) when choos - ing memorized secrets. • When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compro- mised. For example, the list MAY include, but is not limited to: NIST 800-63B: A Future without Password Change Cycles?