The National Institute of Standards and Technology (NIST) has published fresh guidelines for password protection, signaling a notable departure from conventional password procedures.
These latest suggestions, articulated in NIST Special Publication 800-63B, are designed to boost cybersecurity while enhancing user experience.
Among the most remarkable alterations is NIST’s viewpoint on password intricacy. In opposition to longstanding traditions, NIST no longer advises enforcing arbitrary password complexity criteria like mixing uppercase and lowercase letters, digits, and special symbols. Instead, the emphasis has shifted to password length as the primary determinant of password robustness.
“Lengthier passwords are typically more secure and simpler for users to recall,” shared Dr. Paul Turner, a cybersecurity specialist at NIST. “We’re departing from intricate regulations that often result in foreseeable patterns and moving towards encouraging distinct, extensive passphrases.”
NIST now suggests a minimum password length of 8 characters, with a strong preference for even lengthier passwords. Organizations are urged to permit passwords of at least 64 characters to support passphrases.
Another notable modification is the removal of obligatory periodic password alterations. NIST argues that frequent password resets frequently lead to weaker passwords and urge users to make minor, foreseeable adjustments. Instead, passwords should only be altered if there’s proof of compromise.
“Compelling users to modify passwords regularly does not boost security and can, in fact, be counterproductive,” explained Turner. “It’s more effective to monitor for compromised credentials and mandate changes solely when indispensable.”
The new guidelines also accentuate the significance of scrutinizing passwords against rosters of commonly used or compromised passwords. NIST suggests that organizations uphold an updated blocklist of fragile passwords and prevent users from picking any password from this catalog.
In addition, NIST advises against utilizing password clues or knowledge-based authentication queries, as these can often be readily guessed or uncovered through social manipulation.
For storing passwords, NIST recommends employing salted hashing with a work factor that renders offline attacks computationally demanding. This strategy aids in safeguarding stored passwords even if a database is breached.
Other prerequisites to be adhered to:
- Verifiers and CSPs SHALL mandate passwords to be a minimum of eight characters long and SHOULD insist on passwords being at least 15 characters long.
- Verifiers and CSPs SHOULD allow a maximum password length of at least 64 characters.
- Verifiers and CSPs SHOULD accept all printable ASCII [RFC20] characters and the space character in passwords.
- Verifiers and CSPs SHOULD permit Unicode [ISO/ISC 10646] characters in passwords. Every Unicode code point SHALL be counted as a single character when evaluating password length.
- Verifiers and CSPs SHALL NOT impose other composition rules (e.g., demanding mixtures of diverse character kinds) for passwords.
- Verifiers and CSPs SHALL NOT require users to periodically change passwords. Nonetheless, verifiers SHALL enforce a change if there’s evidence of authenticator compromise.
- Verifiers and CSPs SHALL NOT allow the subscriber to retain a hint accessible to an unauthenticated claimant.
- Verifiers and CSPs SHALL NOT prompt subscribers to utilize knowledge-based authentication (KBA) (e.g., “What was the name of your first pet?”) or security questions when selecting passwords.
- Verifiers SHALL authenticate the complete submitted password (i.e., not truncate it).
The guidelines also underscore the importance of multi-factor authentication (MFA) as an additional security layer. Although not a direct password prerequisite, NIST strongly suggests implementing MFA wherever feasible.
These new suggestions have been favorably accepted by many in the cybersecurity circle. “NIST’s latest guidelines are in harmony with what security researchers have been advocating for years,” remarked Sarah Chen, CTO of SecurePass, a password management enterprise. “They strike a commendable equilibrium between security and usability.”
As organizations integrate these fresh guidelines, users can anticipate witnessing alterations in password guidelines across various platforms and services. While it may require time for all systems to adjust, specialists are confident that these adjustments will foster more effective password security in the long term.
NIST underscores that these guidelines are not solely for federal agencies but stand as exceptional practices for all organizations interested in cybersecurity.
As cyber hazards continue to evolve, staying abreast of the latest security recommendations remains critical for shielding sensitive information and systems.
The article NIST Recommends New Rules for Password Security was originally published on Cyber Security News.