NIST Recommends New Password Rules

NISTThe National Institute for Standards and Technology is working on new password guidelines which will be mandated for government sector users, and strongly recommended for businesses as well.  Still in draft from, the standards can be found on the document Special Publication 800-63-3: Digital Authentication Guidelines.   Here are some of the recommended changes, so far.  We approve, and in many cases have been recommending some of these for years..

  • Passwords should be user friendly.  Place the authentication burden on the verifying site or network, not the user.
  • Remove complexity requirements.  They don’t work nearly as well as was expected, since most people capitalize the first letter, use the number 1 for the numeral, and the exclamation point for the symbol way too frequently.
  • Passwords should be longer – a minimum of 8 characters with a high side limit of 64.
  • Allow more characters.  Passwords can use any ASCII or Unicode character including spaces and emojis. (!)
  • Passwords never expire.  That’s right, just as recommended by Bruce Schneier and discussed in an earlier post of ours.  You get to keep your password, and it is only reset if your forget it, if you gave it away in a phishing exploit, or if there has been a known password database breach.
  • Disallow bad passwords.  Check new passwords against a 100,000 entry dictionary of known bad password choices.  This means no more lame passwords such as OpenSesame or ThisIsAPassword.
  • Eliminate password hints.  Often the hints provide too much of a clue for attackers.  Like “rhymes with mass bird.”
  • No more secret questions.  The answers to many secret questions can be discovered with a little sleuthing  on Facebook or in public records.  Name of your high school, mother’s maiden name, grandfather’s middle name – just too easy to find.


About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Owner of the WyzCo Group Inc. In addition to consulting on security products and services, Bob also conducts security audits, compliance audits, vulnerability assessments and penetration tests. Bob also teaches Cybersecurity Awareness Training classes. Bob works as an instruction for CompTIA’s non-profit IT-Ready Program in the Twin Cities. IT-Ready is a tuition free 8-week program designed to teach students of all ages the fundamentals of IT support to prepare them for an entry level position in Information Technology Support. Graduates of the classes take the exams to become CompTIA A+ certified. Bob is a frequent speaker at conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. Bob has been blogging on cybersecurity since 2006 at

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.