Align Password (and more generaly authentication) section with NIST SP 800-63-4B

[identitymonk]

there are some discrepancies on the guidance for the forms of authentication with https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63B-4.2pd.pdf

[pilcrowonpaper]

Can you be more specific?

[identitymonk]

As provided through the link:

• Copenhagen book set password policy guidance is:

Passwords must be at least 8 characters long.
Do not set the maximum password length too low. Anywhere around 64-256 characters is a good maximum.
Do not silently modify or truncate the input.
All valid Unicode characters should be allowed, including whitespace.
Use libraries like zxcvbn to check for weak passwords.
Detect leaked passwords with APIs such as haveibeenpwned.

Plus:

Brute force attack protections in the form of MFA, IP-based throttling , and Captchas

• NIST SP 800-63-4Bpassword policy guidance is:

1. Verifiers and CSPs SHALL require passwords to be a minimum of eight characters in length and SHOULD require passwords to be a minimum of 15 characters in length.
2. Verifiers and CSPs SHOULD permit a maximum password length of at least 64 characters.
3. Verifiers and CSPs SHOULD accept all printing ASCII [RFC20] characters and the space character in passwords.
4. Verifiers and CSPs SHOULD accept Unicode [ISO/ISC 10646] characters in passwords. Each Unicode code point SHALL be counted as a single character when evaluating password length.
5. Verifiers and CSPs SHALL NOT impose other composition rules (e.g., requiring mixtures of different character types) for passwords.
6. Verifiers and CSPs SHALL NOT require users to change passwords periodically. However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
7. Verifiers and CSPs SHALL NOT permit the subscriber to store a hint that is accessible to an unauthenticated claimant.
8. Verifiers and CSPs SHALL NOT prompt subscribers to use knowledge-based
   authentication (KBA) (e.g., “What was the name of your first pet?”) or security questions when choosing passwords.
9. Verifiers SHALL verify the entire submitted password (i.e., not truncate it)

The diff is:

• While a minimal length of 8 characters is mandatory, it is encouraged to require a minimum length of 15
• Do not impose character composition
• Do not require password change
• Set in place evaluation of compromission of the password: rapid geo-switching, new device, etc. In that extent, notify users of any suspicion and use owner feedback (e.g. "Is that you connecting from this new location?" message).

Also Password Reset section has no strong guidance against the "Usage of Knowledge Based Authentication".

Hope this is clearer.

[pilcrowonpaper]

Thanks! Honestly we could just get rid of the zxcvbn recommendation. And I was planning to add the notify user recommendation.

The brute force section talks about MFA but do you think we should put more emphasis on it?

[identitymonk]

MFA is good fallback (augment friction if assurance in transaction decrease).

Now the core function should be around analytics of Authentication events.