🏛️ FIPS 140-3 Password Generation Standards for Federal Contractors
FIPS 140-3 Password Generation Standards for Federal Contractors
FIPS 140-3 Password Generation Standards for Federal Contractors
Any organisation that supplies IT systems to US federal agencies must comply with FIPS 140-3 for cryptographic modules. This includes password generation tools, authentication systems, and any component that uses encryption or random number generation for security purposes.
What Changed from FIPS 140-2
FIPS 140-3 became the sole standard in September 2024, fully replacing FIPS 140-2. The key changes affecting password generation include: mandatory SP 800-90A Rev 1 DRBG algorithms, stricter entropy source validation requirements, software security requirements based on the SSE (Security Software/Developer) guidance, and enhanced lifecycle assurance levels.
CSPRNG Requirements in FIPS 140-3
For password generation, the critical requirement is the random number generator. FIPS 140-3 mandates that cryptographic modules use one of three approved DRBG algorithms from SP 800-90A Rev 1: Hash_DRBG (SHA-256 or SHA-512), HMAC_DRBG, or CTR_DRBG (AES-based).
Python's secrets module, OpenSSL's RAND_bytes(), and Java's SecureRandom all use FIPS-approved DRBGs when properly configured. Python's random module and JavaScript's Math.random() are explicitly prohibited for any security-sensitive application.
Implementing FIPS 140-3 Compliant Password Generation
# Python example using secrets (FIPS-compliant)
import secrets
import string
def generate_fips_password(length=20):
alphabet = string.ascii_letters + string.digits + string.punctuation
# secrets.SystemRandom uses /dev/urandom backed by Kernel CSPRNG
return ''.join(secrets.choice(alphabet) for _ in range(length))
# Verify entropy source
# In FIPS mode, check /proc/sys/crypto/fips_enabled
For enterprise deployments, use a FIPS 140-3 validated module like OpenSSL 3.x FIPS Provider, AWS CloudHSM with a FIPS-validated firmware level, or the Windows CNG with FIPS policy enabled.