The National Institute of Standards and Technology (NIST) has updated its password security recommendations, focusing on usability and enhanced security. These guidelines, found in NIST Special Publication 800-63B, represent a shift from previous practices. Here are the key highlights of the new recommendations: 1. Eliminate Periodic Password Changes Old Approach: Many organizations enforced mandatory password changes every 60–90 days. New Recommendation: NIST suggests no longer requiring periodic password changes, as they often result in weaker passwords (like adding simple suffixes or reusing similar patterns). Passwords should only be changed if there is evidence of compromise. 2. Avoid Composition Requirements Old Approach: Users were often required to include a mix of uppercase, lowercase letters, numbers, and special characters. New Recommendation: NIST discourages complex password composition rules, as they lead to predictable patterns and poor usability. Instead, users should be allowed to create longer, easy-to-remember passwords, like passphrases. 3. Encourage Longer Passwords New Recommendation: Passwords should be at least 8 characters long but should allow and encourage users to create passwords up to 64 characters. The idea is that longer passwords or passphrases are more secure, especially if they are easy to remember and not restricted by unnecessary complexity rules. 4. Screen Passwords Against Common Password Lists NIST recommends checking new passwords against lists of commonly used, compromised, or easily guessable passwords (e.g., “password123” or “qwerty”). This helps prevent weak passwords from being used. 5. Enable Multi-Factor Authentication (MFA) While not a password-specific recommendation, NIST emphasizes the importance of multi-factor authentication (MFA). Using MFA adds an extra layer of security beyond just a password, such as a security token or biometric verification. 6. Limit Password Hints and Knowledge-Based Authentication Security questions (like “What’s your mother’s maiden name?”) are discouraged due to their predictability and vulnerability. NIST advises against password hints and instead encourages more secure recovery methods. 7. Use Secure Password Storage Passwords should be stored securely, using techniques like hashing with salt (a random value added to the password before hashing). This ensures that if the password database is compromised, the passwords are still difficult to reverse-engineer.
Cyber HQ’s Post
More Relevant Posts
-
NIST Simplifies Password Guidelines: What You Need to Know The National Institute of Standards and Technology (NIST) has recently updated its password guidelines, marking a significant shift in how we approach password security. The latest draft of NIST’s guidelines (SP 800-63-4) eliminates the need for complex password requirements and frequent password changes, which were previously considered essential for strong security. Key Changes in the Guidelines Password Complexity: NIST no longer recommends using a mix of uppercase and lowercase letters, numbers, and special characters. This change comes after recognizing that complex passwords often lead to predictable patterns and poor password practices, such as writing them down or reusing them across multiple accounts. Password Length: The focus has shifted to password length. NIST now suggests that passwords should be at least 15 characters long, as longer passwords are harder to crack and easier for users to remember. Password Resets: Mandatory periodic password changes are no longer recommended. Instead, password resets should only occur in the event of a credential breach. Frequent changes often result in weaker passwords, as users tend to choose simpler, more predictable options. Knowledge-Based Authentication: NIST advises against using security questions for password recovery, as these can be easily guessed or found through social engineering. These updates aim to simplify password management while enhancing security. By focusing on password length rather than complexity, and reducing the frequency of mandatory changes, NIST hopes to encourage better password practices and reduce the risk of breaches. For organizations and users alike, these new guidelines offer a more practical approach to securing digital identities. https://lnkd.in/gMtQqyaQ
To view or add a comment, sign in
-
Why NIST is Changing the Rules for Passwords The National Institute of Standards and Technology (NIST) has decided to drop two long-standing recommendations for passwords: Complexity Requirements and Mandatory Password Resets. What’s Changing? 1. No More Forced Complexity: Users are no longer required to create complex passwords with mixed characters, numbers, and symbols. Instead, NIST now recommends supporting longer passwords between 15 and 64 characters, which can include any character type. This approach promotes passphrases that are easier to remember but harder to crack. 2. Goodbye to Routine Password Resets: Changing passwords every 60-90 days is no longer recommended, as frequent changes often lead to predictable and weak passwords. NIST now advises resetting passwords only if there is evidence of a breach. Why Does This Matter? For years, security teams believed these rules improved security. However, research shows they can actually lead to unsafe behaviors, like writing down passwords or using predictable patterns. These changes support a balanced approach to security that prioritizes both safety and usability, making account protection smarter. https://lnkd.in/gzMk2UQ2
To view or add a comment, sign in
-
The National Institute of Standards and Technology (NIST) has released new guidelines for password security, marking a significant shift from traditional password practices. Objective: enhance cybersecurity while improving user experience. Biggest changes: 1. Password complexity: NIST no longer recommends enforcing arbitrary password complexity requirements such as mixing uppercase and lowercase letters, numbers, and special characters. Instead, the focus has shifted to password length as the primary factor in password strength. 2. A minimum password length of 8 characters, with a strong preference for even longer passwords. 3. Elimination of mandatory periodic password changes. Passwords should only be changed when there’s evidence of compromise. 4. Emphasis on checking passwords against lists of commonly used or compromised passwords. 5. Don't use password hints or knowledge-based authentication questions, as these can often be easily guessed or discovered through social engineering. 6. For storing passwords, NIST recommends using salted hashing with a work factor that makes offline attacks computationally expensive. This approach helps protect stored passwords even if a database is compromised. To read the full list, click on the link and see how you or your local IT person can improve the security of your IT passwords. Thanks to Hitan Mehta for sharing this useful guide.
NIST Recommends New Rules for Password Security
https://cybersecuritynews.com
To view or add a comment, sign in
-
Password rotation, complexity requirements or security questions - all bad practices? The latest NIST draft version of its password guidelines (https://lnkd.in/gnhhrh3Q) is moving away from some widely used practices in many organizations: ➡ Passwords resets are not to be forced upon users and must only be performed if the account has been breached. In other words, the widespread practice of password rotation is considered a no-no. ➡ Perhaps a bigger novelty is ditching password complexity rules, i.e. requiring special character combinations when creating a password is no longer conforming to the NIST standard. ➡ Aditionally, the guidline forbids password hints accessible to an unauthenticated party, as well as security questions when choosing passwords (e.g., "What was the name of your first pet?"). These recommendations reflect what has long been a settled debate: periodic password resets tend to result in weaker passwords over time and hinder productivity. Additionally, password complexity requirements often lead users to create predictable, easily guessed passwords, write them down in easily accessible places, or reuse them across accounts. These outdated practices are still common in many organizations, especially where Active Directory is used (many group policy defaults now essentially become NIST non-compliant). However, newer identity systems tend to align with NIST's guidance. For example, Microsoft's Secure Score solution (https://lnkd.in/gyBt6M3Q), which rates an organization's security controls for Microsoft365, actually gives a higher score and security posture to organizations that have disabled password rotation. In this latest draft revision, NIST instead emphasizes password length as a key factor for security. While the minimum required length is set at only 8 characters, which some may consider insufficient, NIST recommends using at least 15 characters for improved security.
To view or add a comment, sign in
-
At last, much-needed sanity in password management! NIST is addressing outdated and ineffective password rules, providing clear guidance that will enhance security without adding unnecessary burdens. These new guidelines are a welcome step toward a more practical approach to digital identity Highlights of the proposed rule changes: 1. Password Resets: NIST proposes eliminating the requirement for users to periodically change their passwords unless there is evidence of compromise. This outdated practice often leads to weaker, easily remembered passwords, undermining security. 2. Character Restrictions: The new guidelines bar the imposition of certain character rules (e.g., requiring numbers, special characters, etc.), emphasizing that when passwords are sufficiently long and random, these restrictions are unnecessary and counterproductive. 3. Security Questions: NIST recommends against using security questions or knowledge-based authentication (e.g., “What was the name of your first pet?”), as they are easily guessable and compromise security. 4. Password Length: The guidelines encourage a minimum of 8 characters and recommend allowing up to 64 characters, accepting ASCII, Unicode, and spaces in passwords to improve flexibility and strength. These updated practices reflect a major step forward in simplifying and strengthening password hygiene.
NIST proposes barring some of the most nonsensical password rules
arstechnica.com
To view or add a comment, sign in
-
Cybersecurity Terminologies of the Day: Single Sign-On (SSO), Two-factor authentication (2FA), and multi-factor authentication (MFA). Single Sign-On (SSO) is a method that allows users to access multiple applications or systems with just one set of login credentials. Instead of remembering separate usernames and passwords for each application, users can authenticate once and gain access to all authorized resources seamlessly. An example would be having a master key that unlocks multiple doors in your house. Two-factor authentication (2FA) is a security process that requires users to provide two different authentication factors to verify their identity before granting access to a system or application. These factors typically include something the user knows (e.g., a password) and something the user has (e.g., a mobile phone or token) or something you are (e.g., fingerprint) Think of 2FA as accessing a bank account where you first enter your PIN (something you know) and then receive a text message with a code to enter (something you have) before you can access your account. Multi-factor authentication (MFA) is a security process that requires users to provide two or more authentication factors to verify their identity before granting access to a system or application. Just like 2FA, these factors typically include something the user knows (e.g., password), something the user has (e.g., mobile phone), or something the user is (e.g., fingerprint). An example would be accessing a high-security vault that requires a key card, a PIN code, and a fingerprint scan to open. MFA combines multiple layers of security to ensure that only authorized users can access sensitive information.
To view or add a comment, sign in
-
Cybersecurity Awareness Month WARNING: Click bait coming… PASSWORD EXPIRATION A THING OF THE PAST!?!? It's Cybersecurity Awareness Month, and today's tip is all about passwords! Did you know that NIST, Microsoft and many others advise against requiring periodic password change? These recommendations are based on extensive research in the last decade regarding authentication and password management practices that better align with usability. The research shows that requiring frequent password changes makes it more likely users will create weak passwords as well as increasing user frustration and decreasing usability. Every organization, system and data class you are trying to protect can be different but here is a brief list to consider when implementing or updating password management standards for your organization and personal use: Never reuse passwords – Every account/site/app should have its own UNIQUE password. Avoid slight modifications like increasing a number by one (yes we’re talking to you) Password length – 8 characters should be the absolute minimum but the longer the better. Recommendations are for systems to allow up to 64 characters. NIST actually recommends requiring length over complexity but your organization could have good reason to take a different approach. Utilize a password manager – Paired with a random password generator, it’s a game-changer for security AND ease of use. Examples: Edge Wallet (has enterprise sync), Apple Passwords (now has secure sharing), LastPass, 1Password, etc. Passphrase – If not using a password manager or generator, utilize passphrases to satisfy requirements but make easy to remember. Examples: “My dog Spot eats frogs!” or “OurRedbudturnedinOctober.” Avoid personal information – Don’t use any personal information as part of your password. 2FA or MFA – Use 2FA or MFA wherever possible. Expiration – Do not enforce periodic password reset/change without good reason. Instead, allow users to change password at any time if they suspect it may have been compromised. Monitor accounts for suspicious activity and force password change as necessary.
NIST Special Publication 800-63B
pages.nist.gov
To view or add a comment, sign in
-
Passwords be gone. NIST has finally created a commonsense password policy. Including the bad policy of changing passwords regularly which leads to weaker password security. But what we should all be doing is eliminating passwords altogether. At authenticate 2024 it was reported that there are now an estimated 15 billion Passkey enabled accounts that no longer require the use of passwords. If you are not actively planning to eliminate passwords, then you should at least have phishing resistant MFA in place. Passwords are so weak and create too many vulnerabilities. FIDO PassKey’s are the path to better identity security.
🔐 The Future of Passwords – or the End of Them? 🔐 As Dan Goodin shares in this Ars Technica article, https://lnkd.in/eyVdJV3G NIST’s latest proposal highlights a much-needed shift in password management. Gone are the days of arbitrary rules like periodic password changes. Instead, the focus is moving toward addressing real threats—requiring password changes only when there's evidence of compromise. 🚨 That's where SecureAuth comes in. Even for existing password journeys, the integration of SecureAuth LOA & risk intelligence can significantly enhance security. 🔒 By dynamically assessing the risk of each login attempt, even traditional password systems can be fine-tuned to respond to real-time threats, offering an extra layer of protection without disrupting the user experience. 🛡️ But what if we could go passwordless? 🔑 SecureAuth's adaptive authentication is driven by a dynamic Level-of-Assurance (LOA) score, which adjusts security requirements in real-time based on user behavior and over 20 device/browser characteristics. This allows users to bypass passwords when their behavior is consistent but ramps up security when something seems off. The key takeaway? Security should evolve based on context, not fixed rules. With the right conditions, passwordless authentication becomes not just a possibility, but a reality. ✅ But forcing change without reason, as NIST points out, is counterproductive. Are you ready to embrace the future of authentication? Let’s talk about how SecureAuth’s LOA can make your login experience smarter and safer. 💡 https://lnkd.in/gmtvDMcX #Passwordless #IAM #Cybersecurity #AdaptiveAuthentication #NIST
NIST proposes barring some of the most nonsensical password rules
arstechnica.com
To view or add a comment, sign in
-
The Password Paradox: Why Stronger Isn't Always Safer Recently, I observed a seasoned IT professional lock himself out of his account trying to remember a complex password he'd created following "best practices." It struck me: We've been making passwords harder for humans and easier for machines. The Great Password Misconception Remember when we were told to use complicated passwords like "P@ssw0rd123!"? Turns out, we've been doing it wrong. Hackers' automated tools can crack these "complex" passwords in minutes, while legitimate users struggle to remember them. The New Password Reality: Aligned with Current Standards NIST 800-63B Key Guidelines: · Minimum 15 characters recommended · No mandatory special characters · No periodic password changes without reason · Screen against compromised passwords Think of passwords like doors - a long, simple wooden door can be more effective than a short steel one. A memorable phrase like "ILoveDrinkingCoffeeAtSunrise" is significantly stronger than "P@$$w0rd123!" Smart Security Implementation For Individuals: 🏠 Use a tiered approach: - Critical accounts: 20+ character passphrases + MFA - Regular accounts: 15+ character passphrases - Low-risk accounts: Standard passwords with MFA For Organizations: 🏢 Focus on these essentials: 1. Implement enterprise password managers 2. Enable multi-factor authentication 3. Monitor for compromised credentials 4. Train users on modern password practices Best Practice Quick Reference Security Essentials: - Use password managers - Enable MFA wherever possible - Check for compromised passwords regularly - Use unique passwords for each account Trusted Resources: - NIST Guidelines: https://lnkd.in/dCKzAgQc - Have I Been Pwned: https://haveibeenpwned.com (💡 Pro Tip: Never enter current passwords on any third-party sites, even for checking) - OWASP Password Security:https://lnkd.in/dr23SuFg Looking Forward The future points toward passwordless authentication (FIDO2), using biometrics and hardware keys. Until then, remember: The best password is one you don't have to remember - use a password manager!
pages.nist.gov
To view or add a comment, sign in
-
Cybersecurity Terminologies of the Day: Single Sign-On (SSO), Two-factor authentication (2FA), and multi-factor authentication (MFA). Single Sign-On (SSO) is a method that allows users to access multiple applications or systems with just one set of login credentials. Instead of remembering separate usernames and passwords for each application, users can authenticate once and gain access to all authorized resources seamlessly. An example would be having a master key that unlocks multiple doors in your house. Two-factor authentication (2FA) is a security process that requires users to provide two different authentication factors to verify their identity before granting access to a system or application. These factors typically include something the user knows (e.g., a password) and something the user has (e.g., a mobile phone or token) or something you are (e.g., fingerprint) Think of 2FA as accessing a bank account where you first enter your PIN (something you know) and then receive a text message with a code to enter (something you have) before you can access your account. Multi-factor authentication (MFA) is a security process that requires users to provide two or more authentication factors to verify their identity before granting access to a system or application. Just like 2FA, these factors typically include something the user knows (e.g., password), something the user has (e.g., mobile phone), or something the user is (e.g., fingerprint). An example would be accessing a high-security vault that requires a key card, a PIN code, and a fingerprint scan to open. MFA combines multiple layers of security to ensure that only authorized users can access sensitive information.
To view or add a comment, sign in