NIST Password Policy Review

We have covered this issue before, but it bears repeating.  The new NIST Digital Identity Guidelines are out, and they have thrown out some old password chestnuts because they did not work, or did not work as intended.

Below are the significant changes to password policy.

  • An end to password complexity rules.  Following this policy, users tended to create shorter passwords that used obvious character substitution patterns.  Complexity also adds nothing to protect against automated brute-force password cracking.
  • An end to password expiration.  Again, the result is shorter, easier password creation so users can remember the passwords.  Also, predictable patterns using combinations of month, year, and symbol make passwords more guessable.  Only change passwords on evidence of a breach, otherwise use them as long as you like.
  • Begin using two-factor authentication.  2FA means that even if your password is compromised, an attacker would also need the second factor to compromise the account or protected asset.  Begin using two-factor wherever it is offered.
  • Begin using a password manager.  Password managers allow users to create long and random passwords using password manager tools.  The manager fills in the user ID and password automatically, making it easy to store a huge trove of several hundred authentication information in a secure and easy to use system.  Secure notes allow you to store the answers to secret questions for password reset too.


More information:


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.