The National Institute of Standards and Technology (NIST from National Institute of Standards and Technology) είναι μια κυβερνητική υπηρεσία των ΗΠΑ που δημοσιεύει συστάσεις για την ασφάλεια στον κυβερνοχώρο. Η υπηρεσία security released the new version of the Digital Identity Guidelines and below you will find a summary.
The new Guidelines address many code issues accesswith new recommendations. The overall goal is to make passwords more secure.
Let's take a look at the new security recommendations.
Suggestions for new passwords
Logical password rules:
- Verifiers and CSPs SHOULD require passwords to be at least eight characters long and MUST require passwords to be at least 15 characters long.
- Authenticators and CSPs MUST allow a maximum password length of at least 64 characters.
- Verifiers and CSPs MUST accept all ASCII characters and the space character in passwords.
- Verifiers and CSPs MUST accept Unicode characters in passwords. Each Unicode code point MUST count as a single character when evaluating password length.
- Verifiers and CSPs MUST NOT enforce other composition rules (eg require mixtures of different types of characters) for passwords.
- Verifiers and CSPs They MUST NOT require users to change passwords periodicallyHowever, verifiers MUST enforce a change if there is evidence infringementof the authentication tool.
- Authenticators and CwSPs MUST NOT allow the subscriber to store a hint that is accessible to someone who is not authenticated.
- Verifiers and CSPs MUST NOT ask subscribers to use knowledge-based authentication (KBA) (eg “What was the name of your first pet?”) or security questions during choice passwords.
- Verifiers MUST verify the entire password submitted (ie, do not truncate it).
https://pages.nist.gov/800-63-4/sp800-63b.html