NIST Recommends New Password Rules

NISTThe National Institute for Standards and Technology is working on new password guidelines which will be mandated for government sector users, and strongly recommended for businesses as well.  Still in draft from, the standards can be found on the document Special Publication 800-63-3: Digital Authentication Guidelines.   Here are some of the recommended changes, so far.  We approve, and in many cases have been recommending some of these for years..

  • Passwords should be user friendly.  Place the authentication burden on the verifying site or network, not the user.
  • Remove complexity requirements.  They don’t work nearly as well as was expected, since most people capitalize the first letter, use the number 1 for the numeral, and the exclamation point for the symbol way too frequently.
  • Passwords should be longer – a minimum of 8 characters with a high side limit of 64.
  • Allow more characters.  Passwords can use any ASCII or Unicode character including spaces and emojis. (!)
  • Passwords never expire.  That’s right, just as recommended by Bruce Schneier and discussed in an earlier post of ours.  You get to keep your password, and it is only reset if your forget it, if you gave it away in a phishing exploit, or if there has been a known password database breach.
  • Disallow bad passwords.  Check new passwords against a 100,000 entry dictionary of known bad password choices.  This means no more lame passwords such as OpenSesame or ThisIsAPassword.
  • Eliminate password hints.  Often the hints provide too much of a clue for attackers.  Like “rhymes with mass bird.”
  • No more secret questions.  The answers to many secret questions can be discovered with a little sleuthing  on Facebook or in public records.  Name of your high school, mother’s maiden name, grandfather’s middle name – just too easy to find.


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.