search

usnistgov / 800-63-3

Home to public development of NIST Special Publication 800-63-3: Digital Authentication Guidelines
https://pages.nist.gov/800-63-3/
Other
703 stars 102 forks source link

Replace "Memorized Secret" with "Password" and number recommendations #324

Closed agreinhold closed 8 years ago

agreinhold commented 8 years ago

Organization:2

Type:Researcher

Document (63-3, 63A, 63B, or 63C):63B

Reference (Include section and paragraph number):5.1.1 Memorized Secrets

Comment (Include rationale for comment): The name “Memorized Secret” begs the question of how passwords are actually retained by users. Virtually no person is capable of memorizing all the passwords they need for the dozens of accounts they access. Many experts now recommend that users write down their passwords, (see e.g. http://www.zdnet.com/article/microsoft-write-down-your-passwords/) or use a password manager, rather than the more risky practice of using the same password on more than one account. I would suggest simply using the traditional term “password” in this document, with a note that the term includes PINs and pass phrases unless qualified otherwise. If “password” is not acceptable, I would suggest the more neutral “secret character string.”

Also this section of SP800-63B, and its subsections, includes several important (and valuable) changes from current standards and practices. Numbering them individually would facilitate discussion and compliance. ("We need to add implementation of NIST800-63B 5.1.1.1.6 to next year's budget." vs "We need to add implementation of the recommendation NIST800-63B 5.1.1.1 that says ...")

Suggested Change: The term “Memorized Secret” should be replaced by “Password” throughout the document.

Each distinct major recommendation in section 5.1.1 and its subsections should be numbered.

Organization: 1 = Federal, 2 = Industry, 3 = Other

jimfenton commented 8 years ago

The term "memorized secrets" was chosen to avoid some of the issues with the word password (such as that it is, in fact, a word) and be inclusive of randomly-selected PINs and passphrases (which are typically longer). They also emphasize that the value is a secret (not, for example, the name of one's pet). While users may not necessarily commit these memorized secrets only to memory, the term does emphasize that these are values that, in some quantity, should be able to be memorized. This is in contrast to keys, whose complexity makes them considerably less suitable for memorization (although, of course not impossible). We will stick with the term.

SP 800-63 and subsequent editions have been around for quite some time, and I am not aware of any other requests to number the individual recommendations for reference, We will consider doing this if we receive a number of other requests to do so.