Recently, the National Institute of Standards and Technology (NIST) updated its password security guidelines, with changes that address longstanding criticisms from IT professionals and promote easier password management for users.
Among the most notable changes are:
- Periodic forced password changes are no longer recommended.
- Password length is emphasized over complexity.
- Password hints and security questions are unsanctioned.
- Truncated password authentication is explicitly denounced.
What does it all mean?
Let’s look at each of these new recommendations in turn.
Periodic forced password changes
Forcing users to update their password on a schedule, say every 90 days, was a mainstay of enterprise security for years. But in practice, forcing users to regularly change their passwords results in less secure passwords as many users will just add a single character or number at the end of their previous password, making passwords more predictable. NIST now recommends that organizations force password changes only when there is evidence that the previous password has been compromised.
Length vs complexity
It’s become standard for services to mandate some combination of lower case, upper case, numbers, and special characters (but not every special character) to generate a secure password. But evidence holds that most people make common substitutions (0 for O, @ for a) that don’t increase security at all. And mathematically it’s clear that longer passwords are much harder to crack than short passwords, regardless of complexity.
So NIST is dropping its requirement for composition requirements, and emphasizing password length — moving its minimum requirement up to 8 characters, its recommended minimum to 15 characters, and encouraging services to allow passwords to be set up to 64 characters (if not more).
Password hints and security questions
Hints and knowledge-based authentication can offer a lifeline for users who forget their password by asking questions like “Where did you go to high school?” or “What street did you grow up on?”, but answers to many of these questions can be collected through social engineering, making them dangerously insecure. Moving forward, NIST recommends that these features be eliminated entirely.
Truncated passwords
You should be surprised to learn that some online services don’t use your entire password for authentication — even if they let you save an extra long password, they might care only about the first 8 characters. NIST now says: knock it off. If users are smart enough to secure their accounts with long passwords, the whole thing should be required to verify their identity.
Best practices
As the total number of accounts per user continues to increase over time, on average, users are now maintaining well over 150 specific logins between work and personal accounts. Maintaining strong, unique passwords is a critical step to keeping these accounts secure.
NIST’s updated recommendations give users the freedom to make use of unique passphrases that will be easier to remember and harder for malicious actors to crack through social engineering or brute force attacks.
These recommendations also make absolutely clear that if each of your passwords is long, strong, and unique, you simply can’t be expected to remember every one. A secure password management system has become a requirement for safely navigating the digital world. Luckily there are now several different options that support your specific needs, from browser-based password management (Safari, Chrome, Firefox), to Apple’s new Passwords app, to feature-rich apps for teams and families like 1Password.