NIST and AWS Password Policies

NIST 800-63, section 5 describes the following guidelines for passwords (aka “memorized secrets”):

at least 64 characters, all ASCII (including spaces and Unicode characters)
no reusing passwords
No password expiration period.
No password hints.
disallow passwords from data breaches, dictionary or context-specific words, or repetitive or sequential characters

Warning! This list excludes several important recommendations like expiry, rate limiting and MFA.

NIST now de-emphasizes forcing the use of certain characters (for example uppercase letters, numbers, or special chars like ! @ # $ %) and forcing periodic password rotation. This runs contrary to many password schemes you’ve probably encountered in the wild.

AWS is no exception. Account Password Policies lags these recommendations. There are many (optional) parameters, like requireSymbols, that you can ignore when implementing password schemes for your infrastructure in-line with the latest NIST recommendations.

Here’s what that might look like if you’re using Pulumi to manage your infrastructure definitions:

new aws.iam.AccountPasswordPolicy("nist22-ish", {
  allowUsersToChangePassword: true,
  minimumPasswordLength: 64,
  requireLowercaseCharacters: false,
  requireNumbers: false,
  requireSymbols: false,
  requireUppercaseCharacters: false,
  passwordReusePrevention: 24,
});

The 64 character minimum might seem onerous, but is less of a problem if you use a password manager, or can recite prose from memory /s.

This is just a starting point however. As mentioned above, in the same section NIST additionally recommends using second (2FA) or multi-factor (MFA) devices. Start here with some AWS policy definitions you could use to enforce MFA.