NIST Recommends New Password Rules

NISTThe National Institute for Standards and Technology is working on new password guidelines which will be mandated for government sector users, and strongly recommended for businesses as well.  Still in draft from, the standards can be found on the document Special Publication 800-63-3: Digital Authentication Guidelines.   Here are some of the recommended changes, so far.  We approve, and in many cases have been recommending some of these for years..

  • Passwords should be user friendly.  Place the authentication burden on the verifying site or network, not the user.
  • Remove complexity requirements.  They don’t work nearly as well as was expected, since most people capitalize the first letter, use the number 1 for the numeral, and the exclamation point for the symbol way too frequently.
  • Passwords should be longer – a minimum of 8 characters with a high side limit of 64.
  • Allow more characters.  Passwords can use any ASCII or Unicode character including spaces and emojis. (!)
  • Passwords never expire.  That’s right, just as recommended by Bruce Schneier and discussed in an earlier post of ours.  You get to keep your password, and it is only reset if your forget it, if you gave it away in a phishing exploit, or if there has been a known password database breach.
  • Disallow bad passwords.  Check new passwords against a 100,000 entry dictionary of known bad password choices.  This means no more lame passwords such as OpenSesame or ThisIsAPassword.
  • Eliminate password hints.  Often the hints provide too much of a clue for attackers.  Like “rhymes with mass bird.”
  • No more secret questions.  The answers to many secret questions can be discovered with a little sleuthing  on Facebook or in public records.  Name of your high school, mother’s maiden name, grandfather’s middle name – just too easy to find.


About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Serving small business owners in the St Paul, Minneapolis, and western Wisconsin area since 2001. Cybersecurity and hacking have been a passion of mine since I entered the computer and networking business in 2000. I hold several cybersecurity certifications including Certified Information Systems Security Professional (CISSP), Certified Advanced Security Pratitioner (CASP), and Certified Ethical Hacker (CEH). Other computer industry certifications include A+, Network+ and Microsoft Certified System Engineer (MCSE). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of security on their computers, networks, and websites. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. We also provide Cybersecurity Awareness Training for clients and their employees. I am a frequent speakers at cybersecurity conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference, the (ISC)2 World Congress, and the ISSA International Conference, and many local community organizations, Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2008.

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.