Password Guidelines Updated by NIST
March 10, 2020
The National Institute of Standards and Technology (NIST) has updated its password guidelines in accordance with new research. The U.S. government requires its agencies to follow these guidelines, and many other organizations would benefit from implementing these rules as well.
These practices represent a reasonable standard and will help you keep confidential information safe and protect against breaches.¹
NIST is a federal agency that promotes U.S. innovation and industry by advancing the nation’s technology and information security infrastructure.² Following these updated guidelines can help you improve your password security practices and increase staff efficiency. Next, we’ll take you through recommended practices from the new guidelines and how to comply with them.
Increase password length
Length is a critical component of strong passwords. Longer passwords are statistically less likely to be cracked. Because of this, NIST now requires a minimum length of eight characters for user-generated passwords and six characters for those that are generated by a machine. To ensure greater security for more sensitive accounts, NIST says you should set the maximum password length at 64 characters.³
Allow special characters and spaces
Another way of increasing security levels is to allow the use of special characters in passwords. NIST now requires systems to permit passwords that contain special characters, even emojis and spaces. The new guidelines prohibit sequential (ex: 1234) or repeating (ex: aaaa) characters and dictionary words.³
Permit users to paste text
The guidelines encourage the use of automated systems for added security. Password fields must now allow users to paste text using a device’s copy and paste feature. This affords users the opportunity to use password managers, which can greatly increase security.
Stored passwords must also be hashed and salted (security measures similar to encryption). These are security measures that help to safeguard passwords that are in storage. If put into effect, hackers won’t be able to read your password data even if they manage to steal it.³
Outlaw password hints
Password hints are one example of an added security measure that can actually undermine password security. It’s only too common for users to set hints that make it very easy to determine the password. This defeats the purpose of having a password in the first place.
To prevent this, NIST has completely outlawed the use of password hints. Knowledge-based authentication (KBA) questions like “What street did you grow up on?” are also no longer permitted. The answers to these are too easily found over the internet, and can easily lead to a breach.³
Remove periodic password change requirements
Recent studies have shown that company policies that require frequent password changes are counterproductive to good password security. NIST recommends removing this requirement, which should increase usability and make password security more user-friendly.
Many industries have had a frequent password change standard in place for years, so it may take some time before this new standard is commonly observed. But for those who found the previous standard to be unnecessary, this may come as a welcome change.¹
NIST recommends minimizing password complexity requirements, like the necessary inclusion of upper case letters, symbols, and numbers. As with frequent password change policies, these requirements can result in passwords that decrease usability and hamper employee efficiency. Reducing password complexity can be another great step on the road to better security practices that employees find easier to manage.¹
Screen new passwords against commonly used or compromised passwords
A commonly held security practice is screening your users’ passwords against lists of commonly held passwords and known compromised passwords. NIST recommends you utilize software that can check proposed passwords against previously held or exposed passwords. This will protect against the hacking practice of trying known passwords in new settings.¹