NIST Password Recommendations

One of the best ways to protect online accounts is by following the Digital Identity Guidelines published by the National Institute of Standards and Technology (NIST). Although designed for federal agencies, the Guidelines have been the basis of personal and corporate online security for many years. However, in the most recent revision, some NIST password recommendations changed.

The original NIST password requirements date back to 2004, when NIST published the “Electronic Authentication Guidelines” (SP 800-63). At the time, NIST´s recommendations were to create passwords with a minimum of 8 characters, use upper and lower case letters, numbers, and special characters, exclude the use of dictionary words, and change passwords periodically.

Three revisions to the Guidelines have subsequently been published – the latest released in June 2017 and updated in March 2020. During the latest revision, the Guidelines were retitled as the “Digital Identity Guidelines” and divided into four volumes – the volume relating to NIST password recommendations being SP 800-63B “Authentication and Lifecycle Management”.

NIST Now Recommends the Use of Passphrases

In this volume, NIST acknowledges the burden on users for having to remember multiple unique and complex passwords and recommends the use of passphrases – character strings consisting of three random and unconnected words (i.e., “rockfish-freckled-robotics”). According to NIST, there should be no need to include numbers and special characters in the passphrase because the length of the passphrase will make it sufficiently complex to resist brute force attacks.

Explaining the rationale behind the change of NIST password recommendations, the FAQ accompanying SP 800-63B commented that the previous recommendations encouraged users to use predictable methods for minimally satisfying forced password requirements (i.e., replacing the letter S with $). NIST also commented that forcing users to create complex passwords encouraged users to use the same password for multiple accounts, so they only had to remember one complex password.

NIST also Reverses Recommendation for Periodic Password Changes

In addition to recommending passphrases in preference to passwords, NIST also reversed its recommendation for periodic password changes. The reason for this reversal is also explained in the FAQ, which states: “Users tend to choose weaker passwords when they know that they will have to change them in the near future. When those changes do occur, they often select a password similar to the old password by applying a common transformation” (i.e., Pa$$word2020 to Pa$$word2021).

NIST claims that the practice of changing a password to a similar one provides users with a false sense of security. If, NIST comments, a previous password has been compromised by a hacker, the hacker could apply a common transformation to easily compromise the new password. According to the latest NIST password recommendations, passwords and passphrases should now only be changed in the following circumstances:

  • When it is found that weak or reused passwords are being used. These should be replaced with strong, unique passwords or passphrases.
  • When there is evidence to suggest a password or passphrase has been compromised – for example, if it appears on a data breach list.
  • When employees who have access to a shared password or passphrase leave or work on remote systems which do not log shared credential usage.

Issues with the Revised NIST Password Recommendations

While the revised NIST password recommendations are well-intended inasmuch as they attempt to reduce the burden on users to remember multiple unique and complex passwords, a typical individual uses around fifty personal accounts requiring login credentials. In a business environment, they could have access to a further fifty corporate accounts requiring login credentials.

Remembering passphrases for up to one hundred accounts (and remembering which passphrase applies to which account) is impossible for most humans, and therefore it is recommended individuals and business use a password manager to prevent the temptation of reusing passphrases or creating similar passphrases that could be guessed by a basic password cracking algorithm.

Author: Maria Perez