[Cryptography] NIST SP 800-63-3

Arnold Reinhold agr at me.com
Thu Aug 10 11:50:45 EDT 2017


The final version of NIST SP 800-63-3 "Digital Identity Guidelines" was finally published on June 22, in four volumes. Volume B, Authentication and Lifecycle Management, Section 5.1.1.2 has a lot of interesting things to say about passwords and pass phrases, though it calls them “memorized secrets” which perpetuates the quaint idea that people will memorize all or even most of the passwords they use. Like many standards 63B has both mandates, recommendations and allowances (SHALLs and SHOULDs and MAYs). 

On the topic of allowing the removal of spaces, which was discussed earlier on this list, the final version says:

   “To make allowances for likely mistyping, verifiers MAY replace multiple consecutive space characters with a single space character prior to verification, provided that the result is at least 8 characters in length.”

That’s a lot better than the original text, which allowed total removal of space characters, though I would like to see evidence that adding extra spaces is a “likely mistyping.” 

Recommendations include
o Allowing passwords up to 64 characters, 
o Allowing all printable ASCII characters including space, oallowing UNICODE characters with normalization, 
o Not requiring passwords to be changed periodically and 
o Not using composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters).

Among the mandates (SHALLS and SHALL NOTs):

o User-selected passwords must be 8 characters or longer 
o No truncation of passwords
o No password hints
o New passwords must be compared against a list of commonly-used, expected, or compromised passwords
o Limiting the rate and number of failed attempts (100 max) before a successful authentication.
o Use of encrypted channels for entering and changing passwords
At least 32-bit salt

Perhaps the most important mandate is the following:

   “Verifiers SHALL store memorized secrets in a form that is resistant to offline attacks. Memorized secrets SHALL be salted and hashed using a suitable one-way key derivation function. Key derivation functions take a password, a salt, and a cost factor as inputs then generate a password hash. Their purpose is to make each password guessing trial by an attacker who has obtained a password hash file expensive and therefore the cost of a guessing attack high or prohibitive. Examples of suitable key derivation functions include Password-based Key Derivation Function 2 (PBKDF2) [SP 800-132] and Balloon [BALLOON]. A memory-hard function SHOULD be used because it increases the cost of an attack. The key derivation function SHALL use an approved one-way function such as Keyed Hash Message Authentication Code (HMAC) [FIPS 198-1], any approved hash function in SP 800-107, Secure Hash Algorithm 3 (SHA-3) [FIPS 202], CMAC [SP 800-38B] or Keccak Message Authentication Code (KMAC), Customizable SHAKE (cSHAKE), or ParallelHash [SP 800-185].”

NIST also recommends another layer of protection using a keyed hash with a secret key:

   “In addition, verifiers SHOULD perform an additional iteration of a key derivation function using a salt value that is secret and known only to the verifier. This salt value, if used, SHALL be generated by an approved random bit generator [SP 800-90Ar1] and provide at least the minimum security strength specified in the latest revision of SP 800-131A (112 bits as of the date of this publication). The secret salt value SHALL be stored separately from the hashed memorized secrets (e.g., in a specialized device like a hardware security module). With this additional iteration, brute-force attacks on the hashed memorized secrets are impractical as long as the secret salt value remains secret.”

These are big and long needed improvements. NIST is effectively saying that the use of a standard, fast cryptographic hash function, such as MD5 or the SHA series, by itself and even with salt is no long acceptable for storing password validation data. A KDF that slows the hashing process must be used.

Of course NIST publications are only mandatory for the U.S. Federal Government. But other enterprises are now on notice that simply hashing passwords is no longer considered a safe way to protect the data. It’s about time we shifted the responsibility for password security from asking users to pick ever more complex passwords to requiring the organizations that request passwords to take reasonable precautions in storing validation data.

Arnold Reinhold


More information about the cryptography mailing list