The National Institute of Standards and Technology (NIST) has proposed new password guidelines to ensure stronger cyber security. The new rules outline technical requirements as well as recommended best practices to ensure correct password management and authentication.

NIST no longer recommends using a mix of different character types or regularly changing passwords.

The new guidelines required three main changes that credential service providers (CSP) must undertake;

• Stop requiring users to set passwords that use specific characters
• Stop requiring period password changes
• Stop using knowledge-based authentication/security questions

NIST originally recommended complex passwords in 2017, requiring passwords to have a mix of uppercase and lowercase letters, numbers, and special characters. However, they found that complex passwords aren’t always strong, with users making predictable, easy passwords and reusing across multiple accounts.

NIST has now shifted their focus to password length, since longer passwords are harder to crack in brute force attacks and can be easy to remember while still being unpredictable. 

NIST has also found that making users regularly change their password can lead to weaker passwords being chosen, and now suggests only changing a password when there has been a security breach.

Other recommendations include;

• CSPs shall require passwords to be a minimum of 8 characters in length and should require passwords to be a minimum of 15 characters in length
• CSPs should allow passwords to be a maximum of at least 64 characters
• CSPs should allow ASCII and Unicode characters to be included in passwords.

To find out more, you can view NIST’s newest version of password guidelines here.