BSidesLV 2016 has ended
Welcome to BSidesLV 2016, our 8th annual BSides in beautiful Las Vegas, Nevada!
Back To Schedule
Tuesday, August 2 • 11:00 - 11:50
Toward Better Password Requirements

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

While we often discuss examples of poor password requirements, it’s also useful to consider a sample set of good requirements and practices. NIST Special Publication 800-63, which defines authentication requirements for Federal Government agencies, is currently being revised and seeks to establish requirements that are aligned with current understanding of threats and user behavior. This talk will discuss the rationale for these changes and opportunities for comment.

As authentication threats have evolved and we have learned more about user behavior, what were considered best practices several years ago are no longer current. For this reason, guidance on user authentication needs periodic revision. NIST Special Publication 800-63, which sets technical requirements for authentication and identity proofing by the Federal Government, is currently in the process of such a revision.

SP 800-63B, subtitled “Authentication and Lifecycle Management”, is a new document dealing specifically with user authentication. It changes the requirements for memorized secrets (passwords) in several ways:
- Emphasis on long, memorable passwords
- No use of composition rules
- No hints and prompts (name of first pet, etc.)
- Use of dictionary of compromised passwords to disallow poor choices
- No arbitrary (e.g., periodic) password changes

Beyond the realm of passwords per se, SP 800-63B also clarifies and strengthens the requirements for two-factor authentication and account recovery. The use of SMS (text messaging) as an out-of-band authentication mechanism has been deprecated due to security issues that have been seen with this technique. Requirements for account recovery have also been strengthened, in an effort to avoid having account recovery act as an authentication back door, particular for two-factor authentication.

avatar for Jim Fenton

Jim Fenton

Internet Technologist, Altmode Networks
Jim Fenton is a consultant and researcher with a focus on user-centric identity, messaging, and Internet privacy and security issues. His primary consulting focus is currently in the area of user authentication standards, currently supporting the National Institute of Standards and... Read More →

Tuesday August 2, 2016 11:00 - 11:50 PDT
Passwords16 Tuscany