NIST Password Best Practice Checklist
NIST or National Institute of Standards and Technology has established itself as a authority figure for best practices on security and securing identities, password protection, and much more.
While developing new systems web application security is essential.
Brief summary overview of 800-63 guidelines in a checklist. If you want to read the full guidelines NIST Special Publication 800-63 guidelines for 2019
NIST Password Summary Checklist
Characters
Support at least 64 characters maximum length including all ASCII characters within password.
Minimum characters: 8 when set by a human and 6 whencreated by a system.
Avoid
Avoid password hints and knowledge-based authentication like your first dog.
Avoid password expiration period
LockOut
Allow a minimum of 10 password attempts before lockout
No SMS for 2FA
No SMS for 2FA
Consider using an app like Google Authenticator.
Password Dictionaries
Check password against known password dictionaries.
Related Checklists
NIST Password Best Practice Checklist
NIST or National Institute of Standards and Technology has established itself as a authority figure for best practices on security
Password Protection Checklist
Protect data with password protection on all your devices, laptops, computers, tablets and smartphones
Web Application Security: Passwords Checklist
Web Application Security: Passwords Checklist is a guide to enforcing strong password policy and security best practices with your applications.
