The National Institute of Standards and Technology (NIST) has unveiled updated guidelines for password security, signaling a major departure from conventional practices. These recommendations, detailed in NIST Special Publication 800-63B, aim to bolster cybersecurity while enhancing user experience.
A key change is NIST’s revised view on password complexity. Instead of enforcing arbitrary requirements like mixing uppercase and lowercase letters, numbers, and special characters, the focus has shifted to password length as the primary measure of strength. Dr. Paul Turner, a cybersecurity expert at NIST, stated, “Longer passwords are generally more secure and easier for users to remember. We’re moving away from complex rules that often lead to predictable patterns and toward encouraging unique, lengthy passphrases.”
NIST now advises a minimum password length of 8 characters, with a strong preference for longer passwords. Organizations are encouraged to allow passwords up to at least 64 characters to accommodate passphrases.
Another significant update is the discontinuation of mandatory periodic password changes. NIST contends that frequent resets often result in weaker passwords and prompt users to make minor, predictable modifications. Instead, users should change passwords only when there is evidence of a compromise. “Forcing users to change passwords regularly doesn’t enhance security and can actually be counterproductive,” Turner noted. “It’s more effective to monitor for compromised credentials and require changes only when necessary.”
The new guidelines also stress the importance of checking passwords against lists of commonly used or compromised passwords. NIST suggests that organizations maintain an updated blocklist of weak passwords, preventing users from selecting any that appear on this list.
Moreover, NIST advises against using password hints or knowledge-based authentication questions, as these can often be easily guessed or uncovered through social engineering.
For password storage, NIST recommends employing salted hashing with a work factor that makes offline attacks computationally expensive, thus protecting stored passwords even if a database is breached.
Other requirements include:
- Verifiers and CSPs must require passwords to be at least eight characters long and should ideally mandate a minimum of 15 characters.
- Verifiers and CSPs should allow a maximum password length of at least 64 characters.
- Verifiers and CSPs must accept all printable ASCII characters and the space character in passwords, as well as Unicode characters.
- Verifiers and CSPs must not impose other composition rules (e.g., requiring different character types).
- Verifiers and CSPs should not require periodic password changes but must enforce changes if there is evidence of compromise.
- Verifiers and CSPs must not allow the storage of hints accessible to unauthenticated users.
- Verifiers and CSPs must not prompt for knowledge-based authentication during password selection.
- Verifiers must verify the entire submitted password without truncation.
The guidelines also underscore the significance of multi-factor authentication (MFA) as an additional security layer, strongly encouraging its use whenever possible.
These new recommendations have garnered positive feedback from many cybersecurity experts. “NIST’s updated guidelines align with what security researchers have advocated for years,” said Sarah Chen, CTO of SecurePass, a password management firm. “They strike a good balance between security and usability.”
As organizations begin to implement these guidelines, users can anticipate changes in password policies across various platforms and services. While the adaptation process may take time, experts believe these updates will ultimately lead to stronger password security.
NIST emphasizes that these guidelines are not only for federal agencies but also serve as best practices for all organizations concerned with cybersecurity. As cyber threats evolve, staying current with the latest security recommendations is vital for safeguarding sensitive information and systems.