- What is the recommended session timeout?
- What is NIST Special Publication 800 63B?
- Does NIST require password expiration?
- How long should a login session last?
What is the recommended session timeout?
Typical session timeouts are 15- to 45-minute durations depending on the sensitivity of the data that may be exposed. As the session timeout is approaching, offer users a warning and give them an opportunity to stay logged in.
What is NIST Special Publication 800 63B?
NIST Special Publication (SP) 800-63B provides requirements, recommendations, and guidance for the use of memorized secrets (i.e., PINs, passwords) in authentication of digital identity. This guidance for memorized secrets is exclusively for human users.
Does NIST require password expiration?
Password Expiration
According to both NIST and Microsoft, password expiration policies are no longer necessary. It has been suggested that forcing users to periodically change their passwords may actually do more harm than good, as users become more likely to choose predictable passwords as they are easier to remember.
How long should a login session last?
It considers that longer idle time outs (15-30 minutes) are acceptable for low-risk applications. On the other hand, NIST recommends that application builders make their users re-authenticate every 12 hours and terminate sessions after 30 minutes of inactivity.