NIST Recommends New Rules for Password Security

The National Institute of Standards and Technology (NIST) has released updated guidelines for password security, marking a significant shift from traditional password practices.

These new recommendations, outlined in NIST Special Publication 800-63B, aim to enhance cybersecurity while improving user experience.

One of the most notable changes is NIST’s stance on password complexity. Contrary to long-standing practices, NIST no longer recommends enforcing arbitrary password complexity requirements such as mixing uppercase and lowercase letters, numbers, and special characters. Instead, the focus has shifted to password length as the primary factor in password strength.

“Longer passwords are generally more secure and easier for users to remember,” said Dr. Paul Turner, a cybersecurity expert at NIST. “We’re moving away from complex rules that often lead to predictable patterns and towards encouraging unique, lengthy passphrases.”

NIST now recommends a minimum password length of 8 characters, with a strong preference for even longer passwords. Organizations are advised to allow passwords up to at least 64 characters to accommodate passphrases.

Another significant change is the elimination of mandatory periodic password changes. NIST argues that frequent password resets often lead to weaker passwords and encourage users to make minor, predictable changes. Instead, passwords should only be changed when there’s evidence of compromise.

“Forcing users to change passwords regularly doesn’t improve security and can actually be counterproductive,” Turner explained. “It’s more effective to monitor for compromised credentials and require changes only when necessary.”

The new guidelines also emphasize the importance of checking passwords against lists of commonly used or compromised passwords. NIST recommends that organizations maintain an updated blocklist of weak passwords and prevent users from selecting any password on this list.

Additionally, NIST advises against using password hints or knowledge-based authentication questions, as these can often be easily guessed or discovered through social engineering.

For storing passwords, NIST recommends using salted hashing with a work factor that makes offline attacks computationally expensive. This approach helps protect stored passwords even if a database is compromised.

Other requirements to be followed:

  1. Verifiers and CSPs SHALL require passwords to be a minimum of eight characters in length and SHOULD require passwords to be a minimum of 15 characters in length.
  2. Verifiers and CSPs SHOULD permit a maximum password length of at least 64 characters.
  3. Verifiers and CSPs SHOULD accept all printing ASCII [RFC20] characters and the space character in passwords.
  4. Verifiers and CSPs SHOULD accept Unicode [ISO/ISC 10646] characters in passwords. Each Unicode code point SHALL be counted as a single character when evaluating password length.
  5. Verifiers and CSPs SHALL NOT impose other composition rules (e.g., requiring mixtures of different character types) for passwords.
  6. Verifiers and CSPs SHALL NOT require users to change passwords periodically. However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
  7. Verifiers and CSPs SHALL NOT permit the subscriber to store a hint that is accessible to an unauthenticated claimant.
  8. Verifiers and CSPs SHALL NOT prompt subscribers to use knowledge-based authentication (KBA) (e.g., “What was the name of your first pet?”) or security questions when choosing passwords.
  9. Verifiers SHALL verify the entire submitted password (i.e., not truncate it).

The guidelines also stress the importance of multi-factor authentication (MFA) as an additional layer of security. While not a direct password requirement, NIST strongly encourages the use of MFA wherever possible.

These new recommendations have been well-received by many in the cybersecurity community. “NIST’s updated guidelines align with what security researchers have been advocating for years,” said Sarah Chen, CTO of SecurePass, a password management company. “They strike a good balance between security and usability.”

As organizations implement these new guidelines, users can expect to see changes in password policies across various platforms and services. While it may take time for all systems to adapt, experts believe these changes will lead to more effective password security in the long run.

NIST emphasizes that these guidelines are not just for federal agencies but serve as best practices for all organizations concerned with cybersecurity.

As cyber threats continue to evolve, staying updated with the latest security recommendations remains crucial for protecting sensitive information and systems.