NIST’s latest Password Guidelines [4], proposed in September 2024 as part of NIST’s second public draft of SP 800-63-4 [4], recommend significant changes to password requirements.

Description

The guidelines suggest eliminating mandatory password resets and restrictions on character usage [1]. Verifiers are advised not to impose composition rules for passwords and not to require users to change passwords periodically [1], unless there is evidence of compromise [1] [2] [3]. CSPs are encouraged to allow passwords of at least 15 characters [4], with a maximum of at least 64 characters [4], and to permit the use of ASCII and Unicode characters [4]. Knowledge-based authentication and security questions are discouraged for password selection [4]. The updated guidelines also remove requirements for special characters, uppercase and lowercase letters [3], and knowledge-based authentication [3] [4]. Password complexity can now be determined by the user [3], with password generators rendering old practices obsolete [3]. These changes are outlined in the SP 800-63-4 Digital Identity Guidelines document [3], signaling a potential shift in password practices [3].

Conclusion

These updated guidelines have the potential to impact how organizations approach password security. By allowing users more control over password complexity and removing outdated requirements, organizations may see improved user experience and potentially stronger security measures. However, organizations will need to adapt their password policies and educate users on the new guidelines to ensure successful implementation. This shift in password practices may lead to further changes in cybersecurity standards and practices in the future.

References

[1] https://arstechnica.com/security/2024/09/nist-proposes-barring-some-of-the-most-nonsensical-password-rules/
[2] https://www.darkreading.com/identity-access-management-security/nist-drops-password-complexity-mandatory-reset-rules
[3] https://www.techradar.com/pro/the-us-government-wants-to-cut-out-some-of-its-weirdest-password-rules
[4] https://www.infosecurity-magazine.com/news/nist-scraps-passwords-mandatory/