TheInfoPort
Cybersecurity

Updated Password Standards Based on NIST SP 800-63 Guidelines for 2025

STLRAxis Team

Introduction to NIST SP 800-63 Guidelines

The NIST SP 800-63 Digital Identity Guidelines, developed by the US National Institute of Standards and Technology (NIST), are a cornerstone for digital identity and authentication practices. These guidelines are mandatory for US government agencies and their contractors, but their influence extends globally, shaping the policies of major IT companies and beyond. The latest updates to these guidelines, refined through extensive public revisions, reflect the most current understanding of digital identification and authentication.

Key Updates in the 2025 Guidelines

The 2025 edition of NIST SP 800-63 introduces several significant updates, formalizing concepts and outlining new requirements for various authentication methods. Here are the key areas addressed:

Passkeys and Syncable Authenticators

Passkeys, referred to as “syncable authenticators” in the standard, are now formally recognized. These authenticators can be synchronized across devices, enabling seamless and secure user authentication experiences.

Phishing-Resistant Authentication

The guidelines emphasize the importance of phishing-resistant authentication methods. This includes the use of cryptographic authentication methods such as USB tokens, passkeys, and cryptographic keys stored in digital wallets. These methods must be stored in tamper-resistant systems to ensure their security.

User Storage of Passwords and Accesses

The standard introduces the concept of “attribute bundles,” which refers to the storage of user passwords and accesses. This approach aims to enhance security by bundling related attributes together, making it harder for unauthorized access to occur.

Regular Re-authentication

Regular re-authentication is now a recommended practice. This ensures that users are periodically verified, reducing the risk of long-term unauthorized access.

Session Tokens

The guidelines provide clear requirements for session tokens, ensuring that they are securely managed and protected against misuse.

Password Authentication Requirements

The NIST SP 800-63 guidelines define three Authentication Assurance Levels (AALs), with AAL1 being the least restrictive and AAL3 offering the strongest guarantees. Here are the key requirements for password authentication:

Password Length and Composition

  • Passwords shorter than eight characters are prohibited, with a minimum of 15 characters recommended.
  • Scheduled, mandatory password rotation is considered outdated and is prohibited.
  • Imposing specific composition requirements (e.g., including letters, numbers, and symbols) is also prohibited.
  • Passwords should allow the use of any visible ASCII characters, spaces, and most Unicode symbols, including emojis.

Password Management

  • Maximum password length, if enforced, must be at least 64 characters.
  • Truncating passwords during verification is prohibited, but trimming leading/trailing whitespace is allowed if it interferes with authentication.
  • Using and storing password hints or security questions is prohibited.
  • Commonly used passwords must be eliminated through the use of a stop-list of popular or leaked passwords.
  • Compromised passwords must be reset immediately.

Login Attempts

  • Login attempts must be limited in both rate and number of unsuccessful attempts to prevent brute-force attacks.

Activation Secrets

Activation secrets, such as PINs and local passwords, restrict access to on-device key storage. The guidelines recommend:

  • A minimum length of six digits for numeric PINs, with four digits permissible for lower assurance levels.
  • For AAL3, the primary cryptographic secret must be stored in a tamper-resistant chip and decrypted using the activation secret.
  • For AAL1 and AAL2, the key must restrict access from outsiders, with a limit on input attempts (no more than 10 tries).

Multi-Factor Authentication (MFA)

The guidelines recommend implementing MFA at all AAL levels, with specific requirements for each level:

  • For AAL1, MFA is recommended but not mandatory.
  • For AAL2, MFA is mandatory.
  • For AAL3, only phishing-resistant MFA methods are acceptable.

Phishing-Resistant MFA Methods

  • Cryptographic authentication methods, such as USB tokens, passkeys, and cryptographic keys stored in digital wallets, are considered phishing-resistant.
  • These methods must be stored in tamper-resistant systems and can be synchronized across devices, provided each device meets the standard’s requirements.

Non-Phishing-Resistant MFA Methods

  • Time-based one-time passwords (TOTP) from authenticator apps, SMS codes, and one-time codes from scratch cards or envelopes are permitted for AAL1 and AAL2 services.
  • One-time codes should not be sent through email or VoIP but must be delivered over a separate communication channel from the primary authentication process.

Use of Biometrics

The standard restricts the use of biometrics to serve as an authentication factor but prohibits their use for identification. Biometric checks must be used as a supplemental factor combined with proof of possession (e.g., a smartphone or token).

Biometric Requirements

  • Biometric equipment and algorithms must ensure a false match rate (FMR) no greater than 1 in 10,000 and a false non-match rate (FNMR) no greater than 5%.
  • These accuracy rates must be consistent across all demographics.
  • The verification algorithm must be resistant to presentation attacks.
  • Collected biometric data must be immediately deleted after generating and verifying a cryptographic “fingerprint.”

Input Rate and Attempts

  • Biometric checks must include limits on input rate and the number of unsuccessful attempts to prevent misuse.

By adhering to these updated guidelines, organizations can enhance their digital identity and authentication practices, ensuring a more secure and user-friendly experience for all.