NIST Changes Approach to Passwords

The latest changes to the NIST Special Publication 800-63B represent a significant shift in how we think about passwords and digital identity management. In previous iterations, the focus was heavily on password complexity and frequent resets. Now, NIST has modernised its guidelines to better address both user experience and security, while accounting for the risks posed by poor password hygiene. Here’s a breakdown of the most impactful changes:

Eliminating Periodic Password Changes

The most notable change is the removal of mandatory periodic password resets. Previously, many organisations enforced a 60 or 90-day reset policy, but this often led users to choose weak, predictable passwords or reuse passwords across systems. NIST now recommends password changes only when there is evidence of compromise, such as a data breach or suspicious account activity. This helps prevent user frustration and reduces the chances of insecure password practices.

Encouraging Longer, Easier-to-Remember Passwords

NIST now suggests that passwords should be longer and more memorable, rather than requiring a mix of uppercase letters, numbers, and special characters. The guidance encourages using passphrases — combinations of words that are easy for the user to recall but difficult for attackers to guess. Think along the lines of “CoffeeShopOnMonday2024”. These longer passwords, ideally 16 characters or more, provide robust protection against brute-force attacks.

No More Arbitrary Complexity Rules

In the past, users were often forced to include uppercase letters, numbers, and symbols in every password. While this might seem like a good idea, it often led to predictable patterns like “Password1!” or “Admin2020!”. NIST now advises against enforcing arbitrary complexity requirements, recognising that they don't necessarily enhance security. Instead, the focus is on length and uniqueness.

Password Screening Against Common & Compromised Passwords

One of the most critical updates is the use of password blacklists. NIST recommends that organisations screen new passwords against lists of commonly used or compromised passwords. This includes passwords known to have been part of data breaches (e.g., “123456” or “password”), ensuring that users aren’t setting weak passwords that attackers might easily guess.

No More Knowledge-Based Authentication (KBA)

Traditional knowledge-based questions like “What’s your mother’s maiden name?” are being phased out. These questions are often insecure because the answers can be easily found on social media or through other means. NIST advises organisations to avoid using KBA for account recovery or identity verification.

Implementing Multi-Factor Authentication (MFA)

Although not a direct change in password management, NIST emphasises the use of Multi-Factor Authentication (MFA) to further secure accounts. This involves requiring a second form of verification (such as a text message, authenticator app, or hardware token) in addition to a password. MFA provides an additional layer of security that passwords alone can’t offer.

Rate-Limiting and Lockout Protections

To mitigate brute-force attacks, NIST suggests rate-limiting and lockout features after a certain number of failed login attempts. This prevents attackers from trying endless password combinations. Coupled with longer passwords and screening for common passwords, these mechanisms significantly reduce the risk of account compromise.

The Pros and Cons of NIST’s Updated Password Guidelines

Pros:

• Improved Security: Screening for compromised passwords and promoting longer passphrases substantially enhances account security. It makes it harder for attackers to guess or brute-force their way into systems.
• Better User Experience: Eliminating frequent password resets and unnecessary complexity requirements reduces user frustration. Longer passphrases are easier to remember than complex but short passwords.
• Adaptable to Modern Threats: By moving away from outdated methods like KBA and integrating practices such as MFA, these guidelines reflect the current threat landscape, especially in dealing with password reuse and breach lists.

Cons:

• Implementation Challenges: Organisations will need to invest in updating their password policies and systems to comply with these new recommendations. This includes setting up password blacklist systems and adjusting password rules in legacy applications.
• Cultural Shift: End-users and IT departments alike may struggle to adopt this new approach after years of being told to use complex passwords and change them regularly. Security awareness training will be essential to ease the transition.
• Potential Complacency: Longer, memorable passwords are a great improvement, but they should not lead to a false sense of security. Paired with MFA, they provide robust protection, but reliance on passwords alone is never enough.

How Can CyberPulse Help?

At CyberPulse, we are committed to helping organisations navigate the evolving cybersecurity landscape. Our Governance, Risk & Compliance (GRC) and cyber advisory services can assist you in reviewing and updating your password policies to align with NIST’s new guidelines. Whether you need help with screening passwords, deploying MFA, or conducting a security maturity assessment, we have the expertise to support your organisation every step of the way.

What do you think of NIST’s updated recommendations? Will your organisation be adopting these changes, or are you facing challenges in doing so? Let’s start a conversation in the comments!