v5.0.0-6.2.1 password min length vs NIST SP 800-63B-4 #3242
Description
Current requirement:
| # | Description | Level |
|---|---|---|
| 6.2.1 | Verify that user set passwords are at least 8 characters in length although a minimum of 15 characters is strongly recommended. | 1 |
Previously discussed in:
We made current requirement based on this version:
Verifiers and CSPs SHALL require passwords to be a minimum of eight characters in length and SHOULD require passwords to be a minimum of 15 characters in length.
Now NIST SP 800-63-4 is released and it defines it:
Verifiers and CSPs SHALL require passwords that are used as a single-factor authentication mechanism to be a minimum of 15 characters in length. Verifiers and CSPs MAY allow passwords that are only used as part of multi-factor authentication processes to be shorter but SHALL require them to be a minimum of eight characters in length.
So, to be aligned with NIST, we need to require:
- min length 15 if multi-factor authentication is not used
- min length 8 if multi-factor authentication is used
But there is no quick-and-easy fix here, as it could be a breaking change for v5.0.0.