NIST Password Policy Review

We have covered this issue before, but it bears repeating.  The new NIST Digital Identity Guidelines are out, and they have thrown out some old password chestnuts because they did not work, or did not work as intended.

Below are the significant changes to password policy.

  • An end to password complexity rules.  Following this policy, users tended to create shorter passwords that used obvious character substitution patterns.  Complexity also adds nothing to protect against automated brute-force password cracking.
  • An end to password expiration.  Again, the result is shorter, easier password creation so users can remember the passwords.  Also, predictable patterns using combinations of month, year, and symbol make passwords more guessable.  Only change passwords on evidence of a breach, otherwise use them as long as you like.
  • Begin using two-factor authentication.  2FA means that even if your password is compromised, an attacker would also need the second factor to compromise the account or protected asset.  Begin using two-factor wherever it is offered.
  • Begin using a password manager.  Password managers allow users to create long and random passwords using password manager tools.  The manager fills in the user ID and password automatically, making it easy to store a huge trove of several hundred authentication information in a secure and easy to use system.  Secure notes allow you to store the answers to secret questions for password reset too.


More information:


About the Author:

Cybersecurity guru to business owners in the St Paul, Minneapolis, and western Wisconsin area. Computer security and hacking have been a passion of mine since I entered the computer and networking business in 2000. In 2013 I completed a course of study and certification exam to become a Certified Ethical Hacker (CEH). In 2016 I was certified as a Certified Information Systems Security Professional (CISSP). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of computer security, network security, and web site security. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also provide Cybersecurity Awareness Training for clients and their employees. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. The views expressed on this Web site are mine alone and do not necessarily represent the views of my employer.

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.