Surprising Password Guidelines from NIST You Should Know

Think you’re up to speed on everything there is to know about managing passwords these days? What about staying compliant with password guidelines that are set by regulatory and non-regulatory bodies alike? It isn't easy, that's for sure. The National Institute of Standards and Technology (NIST) has established password guidelines that advise how users should approach password security and complexity. NIST password guidelines have been used by many government institutions and federal agencies, businesses, and universities for more than a decade.

The NIST password guidelines, which are a part of the organization’s Special Publication (SP) 800-63-3, Digital Identity Guidelines, have changed significantly after its update and restructure from its previous incarnation, SP 800-63-2. Part of this can be attributed to recognizing the “human factor” in password guidance and part is based on understanding that people often carry multiple devices and frequently find it difficult to remember complex passwords.

Why Change/REDUCE the Password Protection Requirements?

When required to create complex passwords, users tend to do the minimum, which actually results in weaker passwords that are more easily hackable. The more recent changes to the NIST password guidelines are mostly in response to the increased security footprint most organizations are starting to employ — ie: having more cybersecurity protection methods in place, such as two factor authentication/dual factor authentication (2FA/DFA) — which NIST believes reduces the need around the security/complexity of passwords. Simply put - when passwords are no longer considered the sole form of account protection, they then don't need to be as complicated.

According to the Verizon 2018 Data Breach Investigations Report: “Passwords regardless of length or complexity are not sufficient on their own. No matter who administers your technology environment (whether in-house or outsourced) they should be required to use two-factor authentication.”

Although notable changes were made concerning what is and is not allowed, or what should or should not be allowed, here are five of the most significant changes to the NIST password guidelines that rolled out with the SP 800-63-3 update:

5 OF THE RECENT Changes to THE NIST Password Guidelines You Should Know

1. Focus on Making Passwords Easy to Remember and Hard to Guess

While this may seem counterintuitive to everything that has been promoted for more than a decade, the NIST password guidelines moved toward recommending long passphrases in lieu of complex passwords. These new password security guidelines are more focused on creating unique passphrases that users will remember easily, using whatever characters they want, instead of using convoluted and complex passwords that make no sense to the user.

2. The Use of Special Characters Is No Longer a Requirement

Although the use of any special characters is recommended, the NIST password guidelines no longer require their use when it comes to memorized secrets. Concerning the use of characters in general, the password guidelines in SP 800-63B stipulate:

“All printing ASCII [RFC 20] characters as well as the space character SHOULD be acceptable in memorized secrets. Unicode [ISO/ISC 10646] characters SHOULD be accepted as well. To make allowances for likely mistyping, verifiers MAY replace multiple consecutive space characters with a single space character prior to verification, provided that the result is at least 8 characters in length. Truncation of the secret SHALL NOT be performed. For purposes of the above length requirements, each Unicode code point SHALL be counted as a single character.”

3. Character Allowances Increase and a Minimum Number Required

The NIST password guidelines update that was rolled out requires users to create passwords that consist of a minimum of eight characters. However, it also allows the password form fields to include the use of up to 64 characters in all. This change was made to help support the use of passphrases.

4. No Longer Requiring Password Time Periods or Expirations

The new password guidelines no longer require users to create new passwords after a certain period. Instead, it specifies that new passwords are mandated only in the event of a password breach. According to the same section of the password guidelines quoted in the second section of this article: “Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.”

5. Copy and Paste Functionality in Password Fields Are Enabled

The fifth change in the most recent NIST password guidelines is the enablement of being able to use a “paste” feature in the password field. In the same section as the password guideline change mentioned above, the document states that by enabling users to “paste” their passwords when entering a memorized security, it will help to promote the use of password managers, which tend to provide stronger passwords.

Bottom Line

Although these changes may seem counterintuitive to everything we’ve learned and have been told for years, it’s important to understand that these guidelines are based on an organization having an increased overall security footprint including the implementation of dual-factor authentication, SIEM monitoring, and password management systems.

Learn more about how following cybersecurity best practices and password protection methods can benefit your organization’s bottom line. Download our complimentary guide below.

So, what have you done to improve the password security of your employees within your organization in light of the NIST password guideline updates? Share your thoughts in the comments section below or send me an email to continue this conversation with me directly.



Craig Pollack

Craig Pollack

Craig is the Founder & CEO of FPA Technology Services, Inc. Craig provides the strategy and direction for FPA, ensuring its clients, business owners, and key decision makers leverage technology as efficiently and effectively as possible. With over 30 years of experience building the preeminent IT Service Provider in the Southern California area, Craig is one of the area’s leading authorities on how small to mid-sized businesses can best leverage and secure their technology to achieve their business objectives.