Cyber HQ’s Post

The National Institute of Standards and Technology (NIST) has updated its password security recommendations, focusing on usability and enhanced security. These guidelines, found in NIST Special Publication 800-63B, represent a shift from previous practices. Here are the key highlights of the new recommendations: 1. Eliminate Periodic Password Changes Old Approach: Many organizations enforced mandatory password changes every 60–90 days. New Recommendation: NIST suggests no longer requiring periodic password changes, as they often result in weaker passwords (like adding simple suffixes or reusing similar patterns). Passwords should only be changed if there is evidence of compromise. 2. Avoid Composition Requirements Old Approach: Users were often required to include a mix of uppercase, lowercase letters, numbers, and special characters. New Recommendation: NIST discourages complex password composition rules, as they lead to predictable patterns and poor usability. Instead, users should be allowed to create longer, easy-to-remember passwords, like passphrases. 3. Encourage Longer Passwords New Recommendation: Passwords should be at least 8 characters long but should allow and encourage users to create passwords up to 64 characters. The idea is that longer passwords or passphrases are more secure, especially if they are easy to remember and not restricted by unnecessary complexity rules. 4. Screen Passwords Against Common Password Lists NIST recommends checking new passwords against lists of commonly used, compromised, or easily guessable passwords (e.g., “password123” or “qwerty”). This helps prevent weak passwords from being used. 5. Enable Multi-Factor Authentication (MFA) While not a password-specific recommendation, NIST emphasizes the importance of multi-factor authentication (MFA). Using MFA adds an extra layer of security beyond just a password, such as a security token or biometric verification. 6. Limit Password Hints and Knowledge-Based Authentication Security questions (like “What’s your mother’s maiden name?”) are discouraged due to their predictability and vulnerability. NIST advises against password hints and instead encourages more secure recovery methods. 7. Use Secure Password Storage Passwords should be stored securely, using techniques like hashing with salt (a random value added to the password before hashing). This ensures that if the password database is compromised, the passwords are still difficult to reverse-engineer.

  • graphical user interface, text, application

To view or add a comment, sign in

Explore topics