2.3.1 seems weak

[jmanico]

Can we please bump this to 8 so we are in line wth other password size requirements?

#	Description	L1	L2	L3	CWE	NIST §
2.3.1	[MODIFIED, MERGED FROM 2.5.1] Verify system generated initial passwords or activation codes are securely randomly generated, at least 6 characters long, may contain letters and numbers, expire after a short period of time, and are single-use. These initial secrets must not be permitted to become the long term password.	✓	✓	✓	330	5.1.1.2 / A.3

[elarlang]

The number 6 comes from NIST:

Memorized secrets that are randomly chosen by the CSP (e.g., at enrollment) or by the verifier (e.g., when a user requests a new PIN) SHALL be at least 6 characters in length and SHALL be generated using an approved random bit generator

But the requirement itself...

• "may contain letters and numbers" - it is not a requirement
• "expire after a short period of time" - separate requirement? how short is "short"? covered V2.8 maybe?
• "and are single-use" - V2.8.4
• "These initial secrets must not be permitted to become the long term password." - duplicate of "one time use". Or there should be password history (not allowed) or a separate requirement, that the user can not set the initially generated password as a permanent password
• NIST mapping to A.3 is not valid (nothing related there)

[jmanico]

I'd like to bump this to 8 or 10 characters. 6 is the standard suggestion but 8-10 or even more is a lot better entropy since this is something a user would cut and paste.

[jmanico]

Taking Elar's suggestion in mind:

#	Description	L1	L2	L3	CWE	NIST
2.3.1	[MODIFIED, MERGED FROM 2.5.1] Verify that system-generated initial passwords or activation codes are securely and randomly generated, are at least 8 characters in length, and are single-use only.	✓	✓	✓	330

[elarlang]

@tghosth - do we get it in or do you want to handle it during "rework"?

[tghosth]

So this requirement is talking about "system generated initial passwords or activation codes".

I initially thought it was talking about or OTPs or TOTPs but I am pretty sure that is not the case.

As such I think that upping the limit to match regular password length guidelines makes sense and I also think that complexity is relevant because this is randomly generated. I don't think it needs to be single use (and as discussed above single use is covered elsewhere) but it does need to be short lived. I agree that "These initial secrets must not be permitted to become the long term password" duplicates "short lived".

As such, I would suggest the following:

(Tag has changed following #1928)

#	Description	L1	L2	L3	CWE	NIST §
2.3.1	[MODIFIED] Verify that system generated initial passwords or activation codes are securely randomly generated, at least 8 characters long, contain letters and numbers, and expire after a short period of time.	✓	✓	✓	330

Thoughts @jmanico @elarlang

[elarlang]

Is the point, that the initial password can not be weaker than the permanent password?

If yes, then we can just say, that "initial password must match with general password rules".

at least 8 characters long,

It just duplicates 2.1.1:

#	Description	L1	L2	L3	CWE	NIST §
2.1.1	[MODIFIED] Verify that user set passwords are at least 8 characters in length.	✓	✓	✓	521	5.1.1.2

contain letters and numbers

Why it must contain letters AND numbers? It is in conflict with composition rules:

#	Description	L1	L2	L3	CWE	NIST §
2.1.9	Verify that there are no password composition rules limiting the type of characters permitted. There should be no requirement for upper or lower case or numbers or special characters.	✓	✓	✓	521	5.1.1.2

and expire after a short period of time

If we want to say, that the initial password has the same strength as the permanent password, why do we need to have expire time? How short is short (it is not testable)?

I think the goal for "securely randomly generated" + "short expires time" has the goal to allow shorter initial passwords.

The summary: what is the precise goal for the requirement and what is the risk/attack vector it mitigates?

[jmanico]

How about

#	Description	L1	L2	L3	CWE	NIST §
2.3.1	[MODIFIED] Verify that system generated initial passwords are securely randomly generated and are as strong as typically password policy.	✓	✓	✓	330

Thoughts @jmanico @elarlang

[tghosth]

@jmanico @elarlang

1. The complexity requirements are relevant because this is a randomly generated password and therefore the arguments against complexity don't apply.

2. It should expire because the nature of the flow means that it has been transmitted in a non-hashed way to the user and is therefore partially compromised already.

3. I am prepared to leave short fuzzy because I think it is less critical, or we can say expires within a few days.

[deleterepo]

So this requirement is talking about "system generated initial passwords or activation codes".

I initially thought it was talking about or OTPs or TOTPs but I am pretty sure that is not the case.

As such I think that upping the limit to match regular password length guidelines makes sense and I also think that complexity is relevant because this is randomly generated. I don't think it needs to be single use (and as discussed above single use is covered elsewhere) but it does need to be short lived. I agree that "These initial secrets must not be permitted to become the long term password" duplicates "short lived".

As such, I would suggest the following:

(Tag has changed following #1928)

Description L1 L2 L3 CWE NIST §

2.3.1 [MODIFIED] Verify that system generated initial passwords or activation codes are securely randomly generated, at least 8 characters long, contain letters and numbers, and expire after a short period of time. ✓ ✓ ✓ 330

Thoughts @jmanico @elarlang

@jmanico I also thought at first that this applied to OTPs such as 2FA codes sent through SMS. Would it make sense to mention that or include another requirement specific to these types of codes?

[tghosth]

@jmanico I also thought at first that this applied to OTPs such as 2FA codes sent through SMS. Would it make sense to mention that or include another requirement specific to these types of codes?

I think this whole section is going to need to be significantly reworked @deleterepo

My current suggestion is here: #1861 (comment)

My responses to the feedback on this are here: #1861 (comment)

Are there any other concerns on my suggestion?

[deleterepo]

Hi @tghosth. Makes sense about it needing to be reworked. Apologies I think I missed your suggestion and re-read this thread. I agree with your suggestion here: #1861 (comment). Does this mean that this only applies to non-human passwords, and the upgrade to 8 characters is to align with NIST? For activation codes and 2FA codes, even Apple still uses 6 digits for that.

[jmanico]

A few thoughts:

1. This is different than 2.1.1 since this is a system-generated password sent over email typically, not a user-chosen password
2. I think these passwords should have a time limit
3. These passwords should force a password change right away before the user can use the account (this is the standard flow for system-generated passwords for new accounts)