What's more annoying than changing your password regularly? For example, if you work for an American company, the company requires you to change your password every three months. In addition, they also regulate what your password can and cannot contain. The standards regulator has now declared that most of the voucher rules are outdated and unnecessary.
The National Institute of Standards and Technology (NIST) has proposed a new credential standard it hopes to adopt. A second draft of Special Publication 800-63-4 has been posted on the NIST website, awaiting public feedback on the proposed password and authentication guidance.
The standard outline is concise and to the point, but it goes against the annoying cryptography regimes adopted by many companies and institutions. Some examples include forcing password resets, limiting character usage, requiring specific character combinations, and using security questions. These requirements are largely unnecessary. They're an outdated relic from a time when the internet was new and most people didn't understand proper safety hygiene.
As Microsoft points out in its 2019 Security Baseline, many of these rules actually promote bad security habits. For example, requiring employees to change their passwords frequently encourages them to use weaker passwords that are easier to remember or create, and therefore easier to crack. The U.S. Federal Trade Commission agrees.
The same goes for rules that require specific characters, such as "Passwords must contain at least eight characters, including at least one uppercase and lowercase letter, one special symbol (such as punctuation), and at least one number." These strict restrictions often lead people to use passwords like BigToe@1 (a former colleague actually used this password).
While anyone is free to read and comment on SP800-63-4, it is a challenging read due to all the bureaucratic jargon and lengthy explanations. The organization considers it necessary to have a section defining the meaning of "shall, shall not," "shall," "should not" and other simple terms. The document essentially boils down to nine requirements and recommendations.
Password validator or verification service provider:
Passwords should be required to be at least 8 characters, but should be at least 15 characters.
A maximum password length of at least 64 characters should be allowed.
All ASCII characters and space characters should be allowed in passwords.
Unicode characters in passwords should be accepted. When evaluating password length, each Unicode code point should be counted as one character.
No other composition rules may be imposed on passwords (such as requiring a mixture of different character types).
Users must not be required to change their passwords on a regular basis. However, if there is evidence that the validator has been compromised, the verifier should force a password change.
Users must not be allowed to store tips that are accessible to uncertified applicants.
Users must not be prompted to use knowledge-based authentication (KBA) (such as "What was your first pet's name?") or security questions when selecting a password.
The entire password submitted should be verified (i.e. the password is not truncated).
Rule eight makes perfect sense considering the wild assumption that there's no way a hacker would know or figure out the target's high school mascot or maiden name. However, rule seven seems to be a "self-contradiction". You'll only see the password prompt if you're authenticated, but if you can't remember your password without the password prompt, you won't be able to authenticate. Otherwise, these guidelines seem to be common sense, which I find is generally lacking.
NIST manages standards within the government and has no enforcement authority over private companies. For example, it ensures that all fire hydrants use standardized fittings and deliver the same amount of water no matter where they go, while also ensuring maintenance standards.
Generally speaking, only government agencies and companies or organizations that deal directly with the government can comply with these rules. For example, the IRS must adopt NIST guidelines, but Meta can ignore them. Still, many NIST standards trickle down to private organizations in industries where the rules apply. The NIST Cybersecurity Framework is a good example.