For those of you interested in such things: NIST (National Institute of Standards and Technology), US Department of Commerce
NIST SP 800-63-3 Public Draft Digital Identity Guidelines
[pages.nist.gov]: Public Comment Period, 30-January - 31-March-2017
The four major linked resources for reading/consideration:
* Digital Identity Guidelines
* Enrollment & Identity Proofing
* Authentication & Lifecycle Management
* Federation & Assertions
For those of you not at all interested in the breadth and depth, the nitty gritty and banality of government publications a few paraphrased extractions on passwords for you to consider:
* passwords should be an absolute minimum of 8-characters, up to a maximum of 64. The more sensitive/personal the data the longer the password.
* passphrases should accept all/common punctuation and languages.
* passwords should accept all ASCII and UNICODE printable characters including spaces and emoji.
* passwords must be hashed, salted, and stretched for storage.
---an absolute minimum salt of 32 bits;
---a keyed HMAC (Hash Message Authentication Code) hash using (Secure Hashing Algorithm) SHA-2 or SHA-3;
Note: there are still ~500,000 SHA-1 certs in existence.
Note: Chrome now treats connections with SHA-1 certs that expired last year as HTTP not HTTPS.
Note: Chrome now warns on SHA-1 certs expiring this year as weak.
---and an absolute minimum 10,000 iterations with PBKDF2 (Password-Based Key Derivation Function 2 aka the stretching algorithm).
* NO NO NO aka DO NOT use:
---Knowledge Based Authentication (KBA)
---password expiration except when forgotten, phished, or have reason to suspect pw DB has been hacked.
---Short Message Service (SMS) for two-factor authentication (2FA).
What this means for those whose sites use passwords is that you should consider upping your game.
What this means for those of you that handle/store personal/sensitive data/information is that you might want to do some reading...