The National Institute of Standards and Technology (NIST) has made significant changes to its password guidelines, announcing that a mix of character types in passwords and regular password changes are no longer recommended as best practices for password management. This update comes in the latest version of NIST’s password guidelines, known as SP 800-63-4.
The new guidelines from NIST advise Credential Service Providers (CSPs) to no longer require users to set passwords that use specific types or characters, as well as to cease mandating periodic password changes, which are typically done every 60 or 90 days. Additionally, CSPs should refrain from using knowledge-based authentication or security questions during the password selection process.
In addition to these changes, the updated guidelines include several other recommendations. For instance, passwords should be a minimum of 15 characters, and CSPs should allow passwords with a maximum of at least 64 characters. Furthermore, CSPs should permit ASCII and Unicode characters to be included in passwords.
This shift in NIST’s recommendations marks a departure from the previous guidelines introduced in 2017, which emphasized the complexity of passwords, such as a mix of uppercase and lowercase letters, numbers, and special characters. However, research has shown that complex passwords are not always strong, as they can be easily predicted or guessed by malicious actors. Users often resorted to writing down passwords or reusing them across multiple accounts, undermining their security.
In response to these challenges, NIST has pivoted towards emphasizing password length as a key factor in password strength. Longer passwords are more resilient against brute-force attacks and can be easier for users to remember without being overly predictable.
Moreover, NIST now recommends password resets only in the event of a credential breach, as frequent password changes were found to lead to the adoption of weaker passwords by users. By aligning password reset practices with actual security threats, NIST aims to enhance the overall security posture of organizations and individuals.
Overall, these updated guidelines from NIST reflect a shift towards a more user-centric approach to password security, prioritizing usability and resilience over arbitrary rules. By focusing on password length and tailored password reset strategies, CSPs can better protect user accounts and sensitive information from cyber threats. It remains to be seen how organizations will adapt to these new recommendations and incorporate them into their password management practices.