15

I have read:

  • PCI DSS 1.2
  • SOX 404
  • AR 25-2
  • ISO 27001

But only PCI DSS specifies a minimum password length.

Are there any other regulations that dictate password lengths for any industry?

NIST documents talk about the impacts of certain lengths and complexities [NIST SP 800-63b now provides guidance on password length]. OWASP, SANS, and others give their opinions on password minimums, but they couldn't be considered official.

Not looking for recommendations or impacts of various lengths, but actual regulations that require a certain length. For the purposes of this question, it doesn't even matter if the regulations are good or not, just some regulatory body saying that passwords must be at least a certain length.

schroeder
  • 123,438
  • 55
  • 284
  • 319

6 Answers6

14

I believe the National Institute of Standards and Technology (NIST) publishes the United States Government Configuration Baseline (USGCB, formerly known as Federal Desktop Core Configuration or FDCC) checklists, which specify the password complexity, lifetime, and history requirements for U.S. federal organizations. Also, the Center for Internet Security (CIS) publishes Benchmarks for various platforms, which include similar recommendations.

Between the two, the highest mark is:

  • 12 characters minimum.
  • At least three character types.
  • Expiration in 60 days.
  • Minimum lifetime of 1 day.
  • No reuse within 24 passwords.
  • Some OS-specific additional requirements may be applied.

Those settings are applied at the OS level. I'm not sure if either organization has similar specifications specifically targeting applications or websites, but most organizations which are subject to these will probably just use the same requirements as they do in the OS.

A Google search for any of the above terms should turn up a wealth of information. (I may add links here myself later, or anyone else is free to edit them in.)

schroeder
  • 123,438
  • 55
  • 284
  • 319
Iszi
  • 26,997
  • 18
  • 98
  • 163
  • USGCB is not a regulation; it is a standard. Some US federal agencies _may_ be required to comply with USGCB. – MCW Jan 27 '14 at 15:25
  • 2
    Note that the NIST requirements were significantly revised in August 2017, so this answer may no longer be fully correct. – Joel Coehoorn Apr 13 '18 at 18:57
12

To be honest the "official documentation" for all of these standards is incomplete, and as a CISSP in the industry it's really annoying.

How I look at it is that no one is going to approve you if you have known vulnerabilities in your software, period. The authority for this is the Community Emergency Response Teams (CERT), and CERTs issue CVE numbers for vulnerabilities. All CERTs use the Common Weakness Enumeration system to classify vulnerabilities in software.

There is CWE-521 - Weak Password Requirements which lists the following:

  1. Minimum and maximum length;
  2. Require mixed character sets (alpha, numeric, special, mixed case);
  3. Do not contain user name;
  4. Expiration;
  5. No password reuse.

It should be noted that the CWE system is a tree, and the parent of CWE-521 is CWE-255 credentials management.

AndrolGenhald
  • 15,436
  • 5
  • 45
  • 50
rook
  • 46,916
  • 10
  • 92
  • 181
  • Right. SOX, AR 25-3, and ISO 27001 all state that there needs to be a minimum and maximum enforced, but just the PCI-DSS that actually says what the minimum should be. – schroeder Jan 18 '12 at 02:51
  • 2
    @schroeder The PCI-DSS is really ambiguous especially when it comes to cryptography. This was a standard created to place blame on vendors when things go wrong, and it doesn't really care if your system is secure. – rook Jan 18 '12 at 07:20
  • 1
    Some things which are also not taking into account is that when users need to change their password regularly they often use patterns or just write their password down next to their desk. – Lucas Kauffman Jan 18 '12 at 10:54
  • 1
    @Rook +1 PCI has almost nothing to do with security its a standard for auditors to decided whom to blame. – Jim B Jan 18 '12 at 17:21
  • 2
    How on earth does a *maximum* password length improve security under any circumstances? Just yesterday I was changing my live.com password and they give you all this stuff about security being so important to them blah blah blah, but then they cap password lengths at 15 characters. – Mike Feb 12 '13 at 18:08
  • @Mike Hash functions are heavy (and KDF functions for passwords are the heaviest of hash functions), if you supply an excessively large string you will consume resources, which is ripe for a DDoS. – rook Feb 12 '13 at 19:34
  • 1
    @Rook Good point. However hashing a 15 character password or a 1000 char password isn't going to really make a big difference. But I guess there should be *SOME* limit enforced, just nothing even close to being in the range of what 99.99% of normal users would provide. – Mike Feb 12 '13 at 20:28
4

Since you are looking for ANY regulatory body, whether applicable to you or not, Department of Defense Instruction 8500.2, Information Assurance Implementation states:

For systems utilizing a logon ID as the individual identifier, passwords are, at a minimum, a case sensitive, 8-character mix of upper case letters, lower case letters, numbers, and special characters, including at least one of each (e.g., emPagd2!). At least four characters must be changed when a new password is created.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Purge
  • 1,996
  • 2
  • 14
  • 26
  • 3
    I'd love to know how they technically enforce that last requirement without storing passwords in a cleartext form, or with reversible encryption - both of which generally should not be done. – Iszi Jan 27 '12 at 14:45
  • 3
    Agreed entirely. From my experience, some of the DoD guidance is either outdated, or written by technical writers who have no true knowledge of the implementation hurdles their policies face. Therefore some of the stuff in these regulations end up being waivered for security best practices. Not to mention DoD is moving away from user/password wherever possible. – Purge Jan 27 '12 at 14:52
  • 8
    @Iszi Easy. When changing passwords, prompt the user for their previous one. – Mike Feb 12 '13 at 18:10
2

NIST SP 800-63b [in draft] now provides detailed guidance for passwords at different levels of authentication levels.

A Memorized Secret (a.k.a 'password') SHALL be at least 8 characters in length if chosen by the subscriber; memorized secrets chosen randomly by the CSP or verifier SHALL be at least 6 characters in length and MAY be entirely numeric.

schroeder
  • 123,438
  • 55
  • 284
  • 319
1

The best regulation I've seen in regards to password complexity is in the CIS guidelines which are referred to by other regulations. But even they say "The setting shown above is one possible policy. Alter these values to conform to your own organization's password policies." An example from here https://benchmarks.cisecurity.org/tools2/linux/CIS_CentOS_Linux_7_Benchmark_v1.1.0.pdf

6.3.2 Set Password Creation Requirement Parameters Using pam_pwquality (Scored)

Profile Applicability:

  • Level 1

Description: The pam_pwquality module checks of the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more. The following are definitions of the pam_pwquality.so options.

  • try_first_pass - retrieve the password from a previous stacked PAM module. If not available, then prompt the user for a password.
  • retry=3 - Allow 3 tries before sending back a failure.

The following options are set in the /etc/security/pwquality.conf file:

  • minlen=14 - password must be 14 characters or more
  • dcredit=-1 - provide at least 1 digit
  • ucredit=-1 - provide at least one uppercase character
  • ocredit=-1 - provide at least one special character
  • lcredit=-1 - provide at least one lowercase character
  • 2
    Technically, the CIS guidelines are not a regulation, as you say. The problem I had (and still have) is to find definite regulations saying "passwords *must* be ...." As you point out, regulations are very non-regulatory in the specifics. – schroeder Apr 01 '16 at 15:39
1

Most of the federal regulations are ambiguous on purpose. They say you have to be secure but don't give you specific instructions on how. PCI-DSS is a Contract that you have to sign in order to do business using Credit Cards. Because of things like the Fair Credit Reporting Act that puts the burden of stolen credit card transactions on the Credit Card companies, you bet your butt they are going to be very specific and measurable.

To answer your question directly, no, I am not aware of any other regulation or contract that specifies measurable security controls other then PCI-DSS. Most of the answers listed are things that you/your company can prescribe to but not they are not required. PCI-DSS, HIPAA, SOX, GLBA are required depending on whether you are dealing with Credit Card, Health Info, Publicly Traded or Financial. There may be some Statutory or International laws that you would have to consider and those can be very specific and/or very confusing. Especially in Canada when you try to figure out if you have to enforce privacy controls based on National, Provincial regulation or some Ministry via contract.

TildalWave
  • 10,801
  • 11
  • 45
  • 84