Background Image


Updates, Guidance, and Stories from the Urbane team.

Evolving NIST Password Guidance and PCI

Passwords are difficult. They have to be a certain length, use certain characters, change at certain intervals, and worst of all they have to be memorable. But the NIST Trusted Identities Group thinks that should change.

The new draft version of NIST’s Digital Identity Guidelines (SP 800-63-3) is in the process of being finalized. The sub-publication on Authentication & Lifecycle Management (800-63b) contains some interesting changes to password composition and management. The document uses the term “memorized secrets” to refer to passwords and PINs. Also, as this is still a DRAFT version, it is advisable to wait for the final publication to refer to before changing security policies.

The new recommendations in Section start with “Memorized secrets SHALL be at least 8 characters in length” and end with “No other complexity requirements for memorized secrets SHOULD be imposed”. That’s pretty much it!

Section also points out certain things that the memorized secret verifier shall/should NOT do:

  • SHALL NOT permit the subscriber to store a “hint” that is accessible to an unauthenticated claimant
  • SHOULD NOT impose other composition rules
  • SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically)

There is plenty of analysis already published about why the new policy is a sound and reasonable change. So, let’s take a quick look at how this will impact complying with the PCI DSS password requirements.

The PCI DSS has always required a minimum password length and complexity. Many early adherents to the standard needed to increase their default password configurations to meet the composition requirements.

Requirement 8.2.3

Passwords/passphrases must meet the following:

  • Require a minimum length of at least seven characters.
  • Contain both numeric and alphabetic characters.
  • Alternatively, the passwords/ passphrases must have complexity and strength at least equivalent to the parameters specified above.

Beginning with the publication of PCI DSS v3.0, Merchants and Service Providers have had the freedom to define alternative password schemes. However, the burden was on the assessed entity to show how their alternative was as strong as the original requirements. Many organizations shied away from the additional work for various reasons.

Here’s the great part: The guidance provided by the PCI Standards Security Council in the DSS refers to the NIST standard!

For information on variability and equivalency of password strength (also referred to as entropy) for passwords/passphrases of different formats, refer to industry standards (e.g., the current version of NIST SP 800-63.)

This reference will remove some of that burden and allow security teams to point to the NIST standards as their justification for simplifying password composition. Make sure to read Appendix A in 800-63B for additional information on memorized secret strength.

Here’s the not-so-great part:

Requirement 8.2.4

Change user passwords/passphrases at least once every 90 days.

The rotation requirement is separate from the complexity requirements and does not mention the ability to use alternative time periods (or no rotation at all, as recommended by NIST). To wholly adopt the NIST standard would mean writing a compensating control that proves the alternative password scheme will go above and beyond this requirement. It is likely the additional effort this would take was one of those reasons that kept groups from straying from the PCI baseline to begin with.

The remaining password-related requirements surround the verification of passwords and prevention of attacks on the verification system. The new guidelines do not materially affect these requirements.

The password changes in the new draft Authentication & Lifecycle Management standard are a positive step to more reasoned password management. However, it will be difficult to both follow NIST SP 800-63 and comply with the PCI DSS. Until the PCI requirements are clarified or realigned, the result is a wash. If the PCI DSS adopts the new password philosophy, the truly difficult part will be re-training all of our users about how to create a better password.

Disclaimer: I promised myself I would not to use the xkcd password webcomic for illustration purposes. Please don’t use ‘correcthorsebatterystaple’ as your new password.