Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.
NIST Drops Password Complexity, Mandatory Reset Rules
The latest draft version of NIST's password guidelines simplifies password management best practices and eliminates those that did not promote stronger security.
The National Institute of Standards and Technology (NIST) is no longer recommending using a mixture of character types in passwords or regularly changing passwords.
NIST's second public draft version of its password guidelines (SP 800-63-4) outlines technical requirements as well as recommended best practices for password management and authentication. The latest guidelines instruct credential service providers (CSP) to stop requiring users to set passwords that use specific types or characters or mandating periodic password changes (commonly every 60 or 90 days). Also, CSPs were instructed to stop using knowledge-based authentication or security questions when selecting passwords.
Other recommendations include:
CSPs shall require passwords to be minimum of eight characters in length and should require passwords to be a minimum of 15 characters in length.
CSPs should allow passwords of a maximum of at least 64 characters.
CSPs should allow ASCII and Unicode characters to be included in passwords.
When NIST first introduced its password recommendations (NIST 800-63B) in 2017, it recommended complexity: passwords comprising a mix of uppercase and lowercase letters, numbers, and special characters. However, complex passwords are not always strong (i.e., "Password123!" or "q1@We3$Rt5"). And complexity meant users were making their passwords predictable and easy to guess, writing them down in easy-to-find places, or reusing them across accounts. In recent years, NIST has shifted its focus to password length, since longer passwords are harder to crack with brute-force attacks and can be easier for users to remember without being predictable.
NIST also is now recommending password resets in the case of a credential breach only. Making people change passwords frequently has resulted in people choosing weaker passwords. When passwords are sufficiently long and random, and there's no evidence of a breach, making users change it could potentially lead to weaker security.
The difference with this draft is the shift in language. Previous versions used the words "should not" while this draft says "shall not," which means the rule has moved from a suggestion to an actual requirement.
Verifiers and CSPs SHALL NOT impose other composition rules (e.g., requiring mixtures of different character types) for passwords and
Verifiers and CSPs SHALL NOT require users to change passwords periodically. However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
Public comment on this draft (via email [email protected]) is open until 11:59 pm Eastern Time on Oct. 7.
About the Author
You May Also Like