NIST Revises Guidance on Passwords

The National Institute of Standards and Technology (NIST) has issued new guidance on passwords. It is standard practice to make passwords stronger by using a combination of capital letters, lower case letters, numbers and special characters. While that certainly makes it harder for cybercriminals to crack passwords using brute force methods, it also makes passwords particularly difficult to remember.

In practice, forcing users to add in upper case letters, numbers and special characters to their passwords often means the first letter of a standard password is capitalized, numbers replace digits and an exclamation mark or asterisk is added to the end. Instead of ‘password,’ Password! Or P4ssw0rd! is used. Neither would be particularly difficult for a hacker to crack, yet both would likely bypass the complexity controls set by IT departments. While the aim is to make it harder for hackers to guess passwords, the reality is it doesn’t. All that happens is end users get frustrated.

NIST pointed out that by forcing users to set strong passwords, “the impact on usability and memorability is severe,” yet “Analyses of breached password databases reveal that the benefit of such rules is not nearly as significant as initially thought.”

NIST also points out that many cyberattacks involving passwords are equally effective on weak and strong passwords. If a keylogger is installed, or a phishing email is sent to an end user, it doesn’t matter how complex the password is, it can easily be obtained by the attacker.

The NIST guidance on passwords suggests password length is still important to prevent brute force attacks, so short passwords should not be used. However, end users should be allowed to set long passwords. Limiting passwords to 8-11 characters should be avoided.

NIST recommends, within reason, end users should be able to set longer passwords. IT departments should also allow the use of spaces. While spaces do not add to the complexity of passwords, they do mean phrases can be used as passwords, which will be harder for hackers to guess and easier for end users to remember.

For online passwords rate limiting is effective, only allowing a limited number of guesses before the user is logged out for a set time period. That makes the complexity of passwords less important.

NIST explains that end users’ passwords choices are often predictable, so it is wise to compare passwords to a black list of commonly used passwords that are likely to feature on hackers’ password lists. The blacklist should include dictionary words, passwords that have been revealed by past data breaches, and specific words related to the service for which the password is used. If a minimum number of characters is set, the dictionary list can be reduced with all possible words shorter than the minimum length omitted from the list.

NIST now suggests, “other mitigations such as blacklists, secure hashed storage, and rate limiting are more effective at preventing modern brute-force attacks. Therefore, no additional complexity requirements are imposed.”

The new guidance on passwords is detailed in NIST’s Special Publication (SP) 800-53, Security and Privacy Controls for Information Systems and Organizations.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of