NIST’s New Password Guidelines

The National Institute of Standards and Technology (NIST), the federal agency responsible for setting technology standards, has proposed significant changes to password policies. These changes include ending mandatory password resets, restricting the use of certain characters, and discontinuing security questions.

Creating strong, secure passwords and managing them effectively is one of the most challenging aspects of cybersecurity. This task becomes even more complicated with the password rules enforced by employers, federal agencies, and online service providers. 

NIST has published the second public draft of its updated Digital Identity Guidelines, known as SP 800-63-4. This comprehensive document outlines both the mandatory technical requirements and recommended best practices for authenticating digital identities. Any organization that deals with the federal government online must comply with these standards.

Key Changes in Password Policies

The following changes aim to simplify password management while enhancing security:

1. Elimination of Mandatory Password Resets: Users are no longer required to change their passwords periodically unless there is evidence of a security compromise.
2. Character Composition Rules: Verifiers and credential service providers (CSPs) must not impose specific character composition rules, such as requiring a mix of character types.
3. Password Length: Passwords must be at least eight characters long, with a recommendation of a minimum of 15 characters.
4. Password Length Flexibility: Systems should allow passwords up to 64 characters in length.
5. Character Inclusion: All printable ASCII characters, including spaces, should be allowed in passwords. Unicode characters are also permitted, with each character counted as one unit for password length purposes.
6. Password Truncation: Password truncation is not allowed; the full password must be verified.
7. Password Hints: Systems must not offer password hints accessible to unauthorized users.
8. Knowledge-Based Authentication: The use of knowledge-based authentication methods, such as security questions, is discouraged.

These updates aim to simplify password management while enhancing security, making it easier for users to maintain strong, secure passwords without unnecessary complexity.

Want to Learn How Sourcepass Can Help You with Compliance?

With expert guidance and deep technical expertise, Sourcepass can help ensure data security and mitigate legal and financial risks, helping clients avoid penalties and protect sensitive information. 

Contact Sourcepass today to learn more about how our comprehensive cybersecurity services can help safeguard your business.