National Institute of Standards and Technology (NIST) has been substantially revising its password guidelines since 2017.
Previous recommendations have been changed, including combining symbols, letters, and numeric to create complex passwords; changing passwords frequently; or requiring users to generate passwords of a specified length.
The changes address findings from NIST related to the human factors that cause users to create weaker instead of stronger passwords.
This article provides a closer look at the new recommendations and rationale behind them as found in provided in the NIST SP 800-63b, titled ‘Digital Identity Guidelines’ and their Appendix and FAQs:
- Users no longer have to use special characters
Arbitrary password complexities that require users to combine special characters with alpha numerals have shown users may create worse passwords with lesser security.
As NIST explained in their Appendix A: “Analyses of breached password databases reveal that the benefit of such rules is not nearly as significant as initially thought, although the impact on usability and memorability is severe.”
- Users should be able to use all characters
NIST now recommends that users create passwords using whatever combination of characters they can easily remember.
As NIST explains “Many services reject passwords with spaces and various special characters. In some cases, the special characters that are not accepted might be an effort to avoid attacks like SQL injection that depend on those characters. But a properly hashed password would not be sent intact to a database in any case, so such precautions are unnecessary.
Under the current guidelines provided in NIST SP 800-63B 18.104.22.168, NIST observes that users should be able to maintain passwords using regular characters provided including spaces, although they highlight that repeated spaces should ideally be trimmed.
- It is reasonable to copy and paste passwords
Under the previous guideline versions, NIST was against enabling paste features when typing passwords. This is no longer the case. The revised guidelines recommend allowing paste. Being able to paste into a password field facilitates the use of password managers, a well-advised practice. Password manager utilizes a single master password to access stored passwords.
- Password policies should not require employees to change passwords on a regular basis
The new guidelines advise against the need for users to change passwords after a specific time period. Instead, passwords should be changed in the event they are exposed or there is other evidence they’ve been compromised. Requiring periodic password changes was found to lead to predictable behaviors such as incrementing a root password with numbers or symbols. As they explained in their FAQ, “Users tend to choose weaker memorized secrets when they know that they will have to change them in the near future. When those changes do occur, they often select a secret that is similar to their old memorized secret by applying a set of common transformations such as increasing a number in the password. This practice provides a false sense of security if any of the previous secrets has been compromised since attackers can apply these same common transformations”
This represents a major change in prevailing recommendations. Several other standards (e.g. PCI, HIPAA, HITRUST) have not yet updated their guidelines. Organizations that otherwise held to compliance requirements should strongly consider eliminating periodic password expiration for the improvement to user experience, security and overhead costs associated with password changes.
- Increased character allowance
Although the new guidelines require users to maintain passwords with a minimum of eight characters, they also advocate for password fields to allow up to at least 64 characters. According to the document, increasing password allowance will enable users to utilize passphrases. Passphrases are a sequence of preferably unrelated words. NIST encourages allowing passwords as lengthy as desired, using any characters they like (including spaces), thus aiding memorization. Longer passwords – as long as they do not show up among compromised passwords – provide better security compared to shorter passwords. NIST notes that extremely long passwords (perhaps megabytes in length) could conceivably require excessive processing time to hash, so it is reasonable to have some limit, however, they don’t explicitly list that limit.
- Screen passwords against blacklists
The guidelines also advise screening passwords against lists of commonly used or compromised passwords.
NIST explains, “it is important to discourage the use of very common passwords, particularly those that are most likely to be tried in an online password guessing attack. Some passwords that meet requirements of common composition rules are in fact quite common (e.g., Password1!) while others that do not meet composition rules are not common at all. The dictionary, or blacklist, should contain likely common passwords without particular regard to how they are composed.”
Through screening, users can avoid selecting exposed passwords that will introduce security risks. Additionally, organizations can monitor existing passwords for exposure since a password that is safe today, can get exposed tomorrow.
Screening for common and compromised passwords – and keeping that up to date – requires a change in mindset and technology approaches to password policies. Previous approaches could rely on simple regular expression or formula to determine if a password was safe. The new requirements involve keeping an up to date blacklist. The research required for maintaining an accurate list will likely be left to third parties.
Why Every Organization Should Consider Adopting the NIST Password Guidelines
The new guidelines are based on numerous studies of human behavior and efficiency when it comes to passwords. They provide best practices for creating strong, effective passwords rather than outdated policies that lead to weaker and easy-to-hack passwords.