NIST Recommends New Password Security Rules

NIST released new password security guidelines in Special Publication 800-63B, improving cybersecurity and user experience.

One of the key changes in NIST’s guidelines is their view on password complexity. Instead of requiring a mix of uppercase, lowercase letters, numbers, and special characters, NIST now focuses on password length as the main factor for security.

“Longer passwords are generally more secure and easier to remember,” said Dr. Paul Turner, a cybersecurity expert at NIST. “We’re moving away from complex rules that create predictable patterns and encouraging unique, long passphrases instead.”

NIST recommends a minimum password length of 8 characters, with support for up to 64 characters for passphrases.

NIST no longer recommends mandatory periodic password changes, as they believe frequent resets lead to weaker, predictable passwords. Instead, passwords should only be changed if there’s evidence of a security breach or compromise.

NIST also advises checking passwords against lists of commonly used or compromised passwords and blocking those weak options. They discourage using password hints or security questions, as these can be easily guessed or obtained through social engineering.

For storing passwords, NIST recommends using salted hashing with a work factor to make offline attacks more difficult and protect stored passwords even if a database is compromised.

Other requirements include:

Verifiers and CSPs must require passwords to be at least 8 characters long, with a recommendation for 15 characters.
Passwords should support a maximum length of at least 64 characters.
Verifiers and CSPs should accept all printable ASCII characters, including spaces, and should also support Unicode characters, counting each Unicode character as a single unit.
There should be no specific composition rules, such as mixing different character types.
Periodic password changes are not required, but passwords must be changed if there is evidence of a security breach.
Password hints that can be accessed by an unauthenticated user are not allowed.
Knowledge-based authentication (KBA), like security questions (e.g., “What was the name of your first pet?”), should not be used when setting passwords.
Verifiers must verify the entire password without truncating or shortening it.

The guidelines emphasize using multi-factor authentication (MFA) for added security, though it’s not a password requirement. Many in cybersecurity support the changes, with Sarah Chen, CTO of SecurePass, saying they balance security and usability well.

As organizations adopt these new guidelines, users will see changes in password policies across platforms. While it may take time, experts expect improved password security. NIST emphasizes that these guidelines are for all organizations, not just federal agencies. Staying updated on security recommendations is crucial to protect sensitive information as cyber threats evolve.