Security
Headlines
HeadlinesLatestCVEs

Headline

NIST Drops Password Complexity, Mandatory Reset Rules

The latest draft version of NIST’s password guidelines simplifies password management best practices and eliminates those that did not promote stronger security.

DARKReading
#auth

Source: Vitalii Vodolazskyi via Shutterstock

The National Institute of Standards and Technology (NIST) is no longer recommending using a mixture of character types in passwords or regularly changing passwords.

NIST’s second public draft version of its password guidelines (SP 800-63-4) outlines technical requirements as well as recommended best practices for password management and authentication. The latest guidelines instruct credential service providers (CSP) to stop requiring users to set passwords that use specific types or characters or mandating periodic password changes (commonly every 60 or 90 days). Also, CSPs were instructed to stop using knowledge-based authentication or security questions when selecting passwords.

Other recommendations include:

  • CSPs shall require passwords to be minimum of eight characters in length and should require passwords to be a minimum of 15 characters in length.

  • CSPs should allow passwords of a maximum of at least 64 characters.

  • CSPs should allow ASCII and Unicode characters to be included in passwords.

When NIST first introduced its password recommendations (NIST 800-63B) in 2017, it recommended complexity: passwords comprising a mix of uppercase and lowercase letters, numbers, and special characters. However, complex passwords are not always strong (i.e., “Password123!” or “q1@We3$Rt5”). And complexity meant users were making their passwords predictable and easy to guess, writing them down in easy-to-find places, or reusing them across accounts. In recent years, NIST has shifted its focus to password length, since longer passwords are harder to crack with brute-force attacks and can be easier for users to remember without being predictable.

NIST also is now recommending password resets in the case of a credential breach only. Making people change passwords frequently has resulted in people choosing weaker passwords. When passwords are sufficiently long and random, and there’s no evidence of a breach, making users change it could potentially lead to weaker security.

The difference with this draft is the shift in language. Previous versions used the words “should not” while this draft says “shall not,” which means the rule has moved from a suggestion to an actual requirement.

  • Verifiers and CSPs SHALL NOT impose other composition rules (e.g., requiring mixtures of different character types) for passwords and

  • Verifiers and CSPs SHALL NOT require users to change passwords periodically. However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.

Public comment on this draft (via email [email protected]) is open until 11:59 pm Eastern Time on Oct. 7.

About the Author

Dark Reading

The Edge is Dark Reading’s home for features, threat data and in-depth perspectives on cybersecurity.

DARKReading: Latest News

Microsoft Pulls Exchange Patches Amid Mail Flow Issues