Cybersecurity is a growing concern, but for many years security practices have ignored the realities of human behavior. While strict password rules aim to enhance security, they can frustrate people, leading them to adopt practices that actually weaken security. For example, the requirement to periodically change passwords can actually diminish security because the added burden incentivizes weaker passwords that are easier for people to set and remember. Solving that problem by enforcing complex passwords leads to people writing passwords down rather than memorizing them.

If the goal is actual security, it is important to work with and not against people. Recognizing this, the National Institute of Standards and Technology (NIST) recently updated its guidelines for password security. The updates are a significant but welcome shift from traditional practices.

Understanding the Need for Updated Guidelines

Physical passkeys, digital IDs, and other authentication modes may ultimately replace passwords, but for now passwords remain a critical component of cybersecurity. They serve as the first line of defense for individuals and organizations. Breached passwords continue to be one of the most common cybersecurity threats. By understanding the threats to authentication identified by NIST, organizations can better define and respond to security risks.

Some Key Updates

The guidelines include more forceful recommendations than in the past, as indicated by “SHALL” and “SHALL NOT” practices, which must be followed in order to comply with the standard. Some practices are still phrased in the form of “SHOULD” and “SHOULD NOT,” which form recommended though not required best practices.

• Password length has been addressed: the minimum length SHALL be 8 characters (up from 6) and passwords of up to 64 characters SHOULD be allowed. This ensures that users wishing to use longer pass phrase style passwords may do so.
• Composition rules (e.g., requiring mixtures of different character types) SHALL NOT be enforced and Unicode (ISO/ISC 10646) characters SHOULD be accepted in passwords.
• Password changes SHALL only be forced where there is evidence of compromise.
• Password hints SHALL NOT be allowed (if accessible to the unauthenticated user).
• Knowledge-based security questions (e.g., “What is your mother's maiden name?”) SHALL NOT be used. This eliminates a major threat vector used by social engineering attacks.
• Verifiers SHALL verify the entire submitted password (i.e., not truncate it).

These are all welcome changes that will encourage the use of more secure passwords.

Conclusion

While the NIST standards do not have the force of law, they provide a solid set of best practices that businesses can use as a starting point for securing their data and the data under their care.

For more detailed insights into NIST's password guidelines, you can refer to the NIST Special Publication 800-63B.