NIST Recommends New Guidelines For Password Security

Oct 11, 2024

The National Institute of Standards and Technology (NIST) recommended changing passwords only when there is a known compromise or every 365 days. NIST no longer recommends requiring users to change their passwords regularly because it can lead to insecure practices and confusion on the part of the end user.

Not every organization must follow NIST recommendations for setting up passwords, but many choose to do so voluntarily. These guidelines give you a solid foundation for managing your digital identities securely.

Here are some updated password recommendations:
Password length

NIST recommends a minimum password length of eight characters, but 15 characters is recommended. The maximum password length should be at least 64 characters.

Password complexity
NIST recommends creating a blacklist of weak and commonly used passwords. NIST also advises against mandatory composition rules, but instead recommends allowing users to create passphrases.

Password security
Don’t use knowledge-based authentication: Avoid prompts that ask for personal information, such as the model of a user’s first car, the name of a pet, best childhood friend, your mother’s maiden name, almost all of which can be found in public records or on social media.

Authentication
NIST recommends using two-factor or multi-factor authentication (MFA) whenever possible. They also remind us that SMS verification (short messaging service or text) is the least secure method of authentication and instead recommends downloading and installing an authentication application.

Password resets
If a password is compromised, NIST recommends immediately suspending, invalidating, or destroying the compromised password and login information. When you change a compromised password, make sure you change all variations. And, whatever you do, never use that compromised password or any variation of it again. Because cybercriminals know that users often revert to their old passwords, they’ll keep trying that compromised password, or variations of it, for years to come.

To check if a password has been found in a data breach, you can use a service like “Have I Been Pwned” which allows you to paste your password into their website to see if it appears in their database of known leaked passwords from various data breaches; most web browsers also have built-in password checking features that can scan your saved passwords against known breach databases.

How to check a password:
Have I Been Pwned: https://haveibeenpwned.com/
CyberNews: https://cybernews.com/password-leak-check/

Paste your password into the search bar on the website. These sites will tell you if your password has been found in any known data breaches and how many times it was detected. If the password has been previously found in a breach DO NOT USE IT or any variation of it for your authentication.

1Password has an excellent blog post about the NIST password update:
https://blog.1password.com/nist-password-guidelines-update/

DarkReading:
https://www.darkreading.com/identity-access-management-security/nist-drops-password-complexity-mandatory-reset-rules

Rob Hakala, David Snell
David Snell joins Rob Hakala and Beth Foster of the South Shore’s Morning News on 95.9 WATD fm every Tuesday at 8:11
You can listen to this broadcast here: https://actsmartit.com/nist-password-guidelines/