Updated NIST Password Guidelines

The National Institute of Standards and Technology (NIST) published a new public draft of their password guidelines (SP 800-63-4). This is the document that long ago created the convention of having passwords eight characters long with a mix of upper and lower case, a number, and a special character in it and to change that password every 30, 60, or 90 days.

The author of the appendix soon after came out publicly with his regrets, as it caused people to start creating weaker passwords. People either created passwords in a predictable manner (eight characters exactly with the first letter upper case and a number and special character at the end – does this ring a bell with your password?) or they had to write them down because they were too complex. The same thing happened when we had to constantly change our passwords. Again, this promoted predictability (Password1!, Password2!, Summer2024, Winter2024, etc.) or it caused us to have to write down or otherwise record the passwords again.

An updated password model

What has been shown is that longer passwords that don’t change are the right answer. Our computational ability to crack a password through brute force has grown over time and we can now crack all eight-character passwords on a typical personal laptop in less than a day. Since we know the password is probably exactly eight characters with complexity rules, that really shortens the amount of time as we only have to check the eight-character complex password combinations. This predictability drastically reduces the brute force effort so that passwords can be cracked in just a few hours.

The way to combat this is by using longer passwords, not more complex passwords. The effort required to crack a nine-character password is much higher requiring weeks or months.  Going to 10 characters takes that out to years. Longer passwords of 15-24 characters can take centuries to crack with current systems. A more effective password is actually longer and somehow memorable, not more complex.

Changes to NIST guidelines

The original NIST password guidelines have been growing steadily stronger in their language about passwords. The NIST documents use some very specific language and words within the guidelines. These are words such as should, should not, shall, and shall not. These are words to indicate requirements or suggestions for all of those entities (like Federal agencies) that are required to follow these guidelines.

What was just published is the second public draft of the proposed new guidelines (SP 800-63-4). The current NIST guidelines in place today (SP 800-63B) have three different Authentication Assurance Levels.  The lowest level does not require multi-factor authentication (MFA), but the others require it. Passwords shall be a minimum of eight characters and complexity should not be imposed. Password changes at arbitrary times should not be imposed.

The drafts of SP 800-63 have been getting steadily more prescriptive in requirements. Of note within the current SP 800-63-4 draft is that only systems that require the most basic level of confidence of identification can use single factor authentication. Nearly all systems should be secured through MFA. Passwords shall be required to be a minimum of eight characters in length and should be required to be a minimum of 15 characters in length. Passwords should be allowed up to 64 characters in length. The biggest difference we see in the new draft is the change from should to shall not in the following items.

• Password verifiers shall not impose composition rules.

• Password verifiers shall not require users to change passwords periodically. However, verifiers shall force a change of password if there is evidence of a compromise.

How to implement an updated policy

Though these are not yet requirements and this is just a public draft of new guidelines, these are great practices to start using today. With the advent of Password Managers, this becomes really easy to manage. Tools such as 1Password, LastPass, Keeper, and Okta provide easy ways to create long passwords that are filled in automatically for you. They can be set up to require you to use some level of MFA to log into or use the password manager itself and most have connectivity to dark web monitoring to notify you when a password within the vault has been compromised so you can change it. Most of these are also intelligent enough to notice when you have multiple sites using the same password and help you go through the process to use a unique password everywhere.

If you want further discussion about how you can improve the password practices at your institution, submit a note to our CISO team using the button below.