Password best practice is changing. Two of the important governmental standards bodies, CESG in the UK and NIST in the US have issued, or are about to issue new guidance.

The CESG Guidance is now published, and makes a series of “tips” for managing and designing password systems.

The NIST Guidance is in draft format and is more prescriptive in it’s requirements. The SHALLs and MAYs are here, but the context and reasoning is important and worth understanding.

Both revisions are focused on making Passwords usable for people and have the following characteristics:

• Length is more important than convolution. The days of “must include numbers, letters, mixed cases, and four symbols from the DaVinci Code” have gone. However, all characters should be permitted within the passwords. Longer passwords (upto 64 characters in the case of NIST) should be possible.
• Passwords proposed by the user should be checked against a Blacklist and matches rejected. There is no recommended blacklist, however using available password dictionaries may be a good start.
• Allow the use of password management tools: allow users to paste passwords into the entry fields.
• No default passwords. No sharing of passwords between users.
• Limit the rate at which users can attempt to log in, rather than the number of attempts. This reduces the possibility of brute-forcing an account, but reduces the number of account lockouts requiring an account reset – a form of Denial of Service. Combine this with threat detection based on seeing multiple failed login attempts by a user, reporting it and acting on it.
• Store passwords properly. You never store passwords, only store suitably salted, stretched and hashed value for the key.