NIST Recommends New Guidelines For Password Security

NIST Recommends New Guideline
Share It On:

1st October 2024, Kathmandu

The National Institute of Standards and Technology (NIST), the federal agency responsible for setting technology standards for government bodies, standards organizations, and private companies, has proposed eliminating some of the most confusing and counterproductive password policies. Among the key changes: ending mandatory password resets, restricting the use of certain characters, and discontinuing security questions.

NIST Recommends New Guidelines

Creating strong, secure passwords and managing them effectively is one of the most difficult aspects of cybersecurity. This task becomes even more complicated with the password rules enforced by employers, federal agencies, and online service providers. While these rules are meant to improve security, they often have the opposite effect. Despite this, such requirements are still widely imposed.

NIST published the second public draft of its updated Digital Identity Guidelines, known as SP 800-63-4. This 35,000-word document, dense with technical language and bureaucracy, outlines both the mandatory technical requirements and recommended best practices for authenticating digital identities. Any organization that deals with the federal government online must comply with these standards.

A section focusing on passwords introduces several much-needed, sensible changes to traditional policies. One notable update is the removal of the requirement for users to regularly change their passwords. This policy originated decades ago when password security was poorly understood and is outdated. Back then, people often used easily guessed names and dictionary words as passwords.

Currently, services typically require more robust, randomly generated passwords or passphrases. When such strong passwords are in use, forcing users to change them every few months can weaken security. The additional burden leads users to create simpler, easier-to-remember passwords.

Another problematic rule is the requirement to use specific characters, like numbers, special characters, and both uppercase and lowercase letters. When passwords are sufficiently long and random, these character requirements add no real security benefit. Such rules can push users to choose weaker passwords.

NIST’s updated guidelines now state:

  • Verifiers and credential service providers (CSPs) must not impose specific character composition rules (like requiring a mix of character types).
  • Verifiers and CSPs must not require periodic password changes, except in cases where there is evidence of a security compromise.

(For clarity, “verifiers” confirm a user’s identity by validating their credentials, and CSPs are trusted entities that manage the registration and assignment of authenticators.)

In previous versions of the guidelines, the language suggested that organizations “should not” implement certain practices, indicating that they were discouraged but not prohibited. The new “shall not” language clarifies that these practices must be eliminated to meet compliance standards.

The updated guidelines also include several other changes:

  • Passwords must be at least eight characters long, with a recommendation of a minimum of 15 characters.
  • Systems should allow passwords up to 64 characters in length.
  • All printable ASCII characters, including spaces, should be allowed in passwords.
  • Unicode characters should also be permitted, with each character counted as one unit for password length purposes.
  • Password truncation should not be allowed, meaning the full password must be verified.
  • Systems must not offer password hints accessible to unauthorized users.
  • Knowledge-based authentication (like security questions) should no longer be used.

Reconsidering outdated practices

For years, critics have pointed out the flaws and risks of many widely used password policies, yet banks, online services, and government agencies have largely maintained them. If these new NIST guidelines are finalized, they may not be universally binding, but they could serve as a persuasive argument for abandoning outdated practices.

NIST is accepting public comments on the draft guidelines until 7th October. You can comment here: NIST Recommends New Guidelines.


Share It On:

Leave a Reply

Your email address will not be published. Required fields are marked *

Recent Posts

Khalti Partners Sa Re Ga Ma Pa Li’l Champs Season 2 as Exclusive Voting Platform

Khalti Partners Sa Re Ga Ma Pa Li’l Champs Season

Share It On:4th October 2024, Kathmandu Khalti, a leading platform in youth-friendly entertainment, ticketing & voting, has been announced as

Anju Shrestha Appointed CEO Of Himalayan Everest Insurance: Pioneering Leadership in Nepali Non-Life Insurance

Anju Shrestha Appointed CEO Of Himalayan Everest Insurance: Pioneering Leadership

Share It On:4th October 2024, Kathmandu Himalayan Everest Insurance (HEI) Limited has appointed Anju Shrestha as its new Chief Executive

Global IME Bank Partners Nepal Manipal Teaching Hospital For Exclusive Discounts on Healthcare Services

Global IME Bank Partners Nepal Manipal Teaching Hospital For Exclusive

Share It On:4th October 2024, Kathmandu Global IME Bank Limited has entered into a strategic agreement with Nepal Manipal Teaching

Laxmi Electrotech’s Double Dhamaka: Free Bosch Mixer Grinder & Up to 30% Off on Home Appliances for Dashain-Tihar

Laxmi Electrotech’s Double Dhamaka: Free Bosch Mixer Grinder & Up

Share It On:4th October 2024, Kathmandu Laxmi Electrotech (LET) has launched its Double Dhamaka Offer in celebration of the upcoming

GOVWARE 2024: Driving Innovation And Growth Through Collaboration For A Safer Digital Future

GOVWARE 2024: Driving Innovation And Growth Through Collaboration For A

Share It On:3rd October 2024, Kathmandu Join global policymakers, thought leaders, and innovators at GOVWARE 2024, Asia’s leading cybersecurity event,

Nepal Bank’s Housing Loan Scheme: Loans Up to NPR 20 Million

Nepal Bank’s Housing Loan Scheme: Loans Up to NPR 20

Share It On:3rd October 2024, Kathmandu Nepal Bank, a government-owned financial institution, has launched a new housing loan scheme with