Updated NIST Password Guidelines Replace Complexity with Password Length
The National Institute of Standards and Technology (NIST) has updated its password security guidelines and now recommends longer passwords rather than enforcing a combination of at least 1 uppercase and lowercase letter, number, and special character. Combining multiple character types in a password increases the complexity and makes it harder to crack passwords; however, the problem with forcing people to use uppercase and lowercase letters, numbers, and special characters in passwords is that in practice, it leads to predictable patterns that weaken password security.
Those predictable patterns occur because people need to be able to remember passwords, and remembering a truly random string of numbers and characters is difficult, especially when a unique password should be set for each account. Unless a random password generator is used and passwords are stored in a password manager, people will take shortcuts when creating passwords that will inevitably lead to weak passwords being set.
The latest draft version of NIST’s password guidelines eliminates the password requirements that did not prove effective at improving password security and simplifies password management best practices. There has also been a change to the language used in the password guidelines. Since the password guidelines were released by NIST in 2017, the words “should” and “should not” have been used, whereas the latest draft uses “shall” and “shall not”, changing the advice from a recommendation to an instruction.
The updated guidelines (SP-800-63-4) now specify that cloud service providers (CSPs) and verifiers shall require a minimum password length of 8 characters, recommend a minimum password length of at least 15 characters, and suggest passphrases of up to 64 characters should be allowed. While complexity requirements shall no longer be enforced, NIST recommends allowing all printable ASCII characters, Unicode characters, and the space character in passwords.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
NIST no longer recommends mandatory periodic password changes for similar reasons as enforcing password complexity. The more often you require users to change their passwords, the weaker passwords will become over time. What happens in practice is users often make predictable minor changes to previously used passwords. Enforced password changes should only occur when there is evidence of compromise, in which case, CSPs should immediately suspend, invalidate, or destroy the compromised password and login information and should provide users with a backup authentication method to regain access to their accounts.
Other updates to the NIST password guidelines include the elimination of knowledge-based password hints, such as mother’s maiden name or first pet’s name, as that information can easily be obtained through social engineering, and to never permit the subscriber to store a hint that is accessible to an unauthenticated claimant. NIST also says users who store passwords with CSPs should be reauthenticated at least every 30 days, and verifiers need to verify the entire submitted password.
While complexity requirements are no longer recommended, NIST does recommend creating a blacklist of weak and commonly used passwords and preventing those passwords from being used on accounts. NIST also stresses the importance of an additional layer of security through the use of 2-factor or multi-factor authentication, which should be used whenever possible.
NIST is accepting public comment on the draft password guidelines until October 7, 2024.
