Understanding the New NIST Password Guidelines for 2024

Passwords have always been a hot topic of discussion both in and out of security circles. Users have always hated being forced to come up with schemes to meet the complexity rules or change their passwords at defined intervals. The multitude of password requirements of the past have frustrated users and have led to bad behaviors which time after time led to compromised passwords and resultant data breaches.

The National Institute for Standards and Technology (NIST) is taking human behaviors into consideration and changing the direction for password security as outlined in the draft of NIST 800-63-4. These draft standards are significant as they contradict the decades-old password requirements that drove everyone crazy, and they relieve users of much of the pain when dealing with passwords.

What Are NIST Guidelines?

NIST is a governmental organization under the Department of Commerce. NIST is essentially a scientific organization that focuses on measurement science, the development of scientific and other standards, and technology development. As part of their responsibilities, NIST creates guidelines and standards supporting the measurement and technology fields such as health and bioscience, advanced manufacturing, advanced communications, forensic science, and cybersecurity.

Under the Federal Information Security Management Act of 2014, NIST was charged with developing information security and privacy standards and guidelines. Their standards and technology publications in the cybersecurity realm are extensive. They include topics such as encryption, zero trust architectures, cyber risk management, application container security, identification, and authentication, etc.

What is the Industry Standard for Password Policy?

There is no one organization that defines password policy for commercial organizations. NIST develops the standards for the federal government, and its password guidelines are mandatory for federal agencies. NIST password guidelines are also extensively used by commercial organizations as password policy best practices.

The current NIST password guidelines are defined in the NIST 800-63 series of documents, and revision three is still the official document, however, an update has been in the works since December 2022. The latest revision NIST SP 800-63-4 (2nd Public Draft) is still in draft form and has just closed the period for public comment on October 7, 2024. The fourth revision was released in draft form in December 2022 to the public and solicited feedback from the public. NIST commented on the high quality of the almost 4,000 comments and used them to make improvements to the standards. It is important to note that this organization uses public feedback to improve its guidelines.

What are the NIST Password Policy Guidelines?

NIST did not recommend undoing everything we’ve known regarding passwords and leave it at that – that approach would be negligent. Some of the changes introduced in SP 800-63B are based on studies and research which indicated that the password requirements of the past encouraged the creation of bad passwords. See below for a summary of the NIST password guidelines:

1. Password length: The absolute minimum password length (for user-selected passwords) is 8 characters, but NIST recommends a best practice to require passwords to be a minimum of 15 characters in length. NIST suggests, but does not require, permitting a maximum password length of at least 64 characters.
2. Password complexity (e.g. requiring at least one upper- and lowercase, numeric, and special character): The new guidelines require that password complexity not be imposed.
3. Character sets: The recommendation is all printing ASCII and UNICODE characters be allowed.
4. Password “hints”/authentication questions (e.g. what was your first car?): Password hints/authentication questions are not permitted under this guidance.
5. Check for “known bad” passwords: New and changed passwords are required to be checked against a list (blocklist) of common or previously compromised passwords (e.g. from dictionaries, previous breaches, keyboard patterns, and contextual words [e.g. the user’s username]).
6. Throttling: Throttling to limit failed authentication attempts is required for compliance.
7. Password expiration: Organizations shall not require users to change their password at defined intervals (e.g. 45, 60, or 90 days). However, there is a requirement to force a password change in the case of a known compromise.
8. Using SMS for MFA: NIST “discourages” the use of SMS as an out-of-band authenticator and suggests stronger MFA alternatives like time-based one-time passwords generated by mobile apps, hardware tokens, or biometric verification.
9. Help in choosing a password: Offering guidance on choosing a strong password is required, especially in the case a password was rejected because it was on the blocklist of weak passwords.
10. Password managers: Compliance requires permitting the use of password managers and suggests the paste functionality be allowed to facilitate/encourage the use of password managers.

 

Should My Organization Implement the NIST Password Guidelines?

The short answer is – it depends. It depends on which changes are made, how they are implemented within your organization, and the other compensating controls in place in your organization. Below are a few things to consider regarding each of the NIST password recommendations:

1. Password length: How long should a password be? Allowing a 64-character (or greater) password is a great move on NIST’s part. It was surprising, though, that the minimum password length requirement remains only 8 characters. To me, an 8-character minimum password length is insufficient. As we all know, users will do the minimum, so 8-character passwords will become the norm. Also, in today’s computing environment, brute-forcing an 8-character password is trivial. With the removal of password complexity, this simplifies coming up with a longer password, so why not require, instead of suggesting a 15-character minimum? NIST argues that in conjunction with No. 5 (checking for known bad passwords) and No. 6 (throttling), there was no need to increase the minimum length. It may also be with the push toward MFA, an 8-character, non-complex password is sufficient. Why, though, encourage one of the two factors in an MFA solution to be weak?
2. Password complexity (e.g. requiring at least one upper- and lowercase, numeric, and special character): Banning complexity requirements should go hand in hand with increasing the required password length, so again, it is an interesting choice not to require a 15-character minimum. Forcing complexity can lead to user frustration resulting in weak password selection. Users who struggle with complex password requirements often forget their passwords, leading to frequent resets, leading back to frustration and weak password selection. Research has shown that password strength is more effectively increased by length rather than complexity.  But, if length is not increased, having special characters and numbers in a password can increase entropy, and increased entropy makes a password less susceptible to password cracking techniques.
3. Character sets: Increasing the allowed character set is good, but it may take some time before it is supported in some technologies.
4. Password “hints” (e.g. what was your first car?): Password hints/authentication questions have been used on multiple occasions to gain unauthorized access to user accounts, so getting rid of them is a good move.
5. Check for “known bad” passwords: As mentioned previously, this is one of the password requirements that provides “cover” for the minimum password length of eight characters. The concern here is the implementation. Organizations must be able to check for known bad passwords against repositories (blocklists) that are continually being updated.
6. Throttling: This is another one of the password requirements that provides “cover” for the minimum length policy. In general, throttling is a good idea, but  it may not be a quick, easy fix. My concern is the implementation across the multitude of technologies requiring authentication could require significant time and resources, and an organization might lower or keep the low length requirement well before throttling is implemented.
7. Password expiration: This is a big win for users, as remembering new passwords every 90 days for multiple applications is a nightmare. This frustration leads to users creating easy-to-guess passwords, thus why expiration is no longer recommended. Again, removing expiration is best paired with a longer character requirement, to ensure the users create more secure passwords.
8. Using SMS for MFA: Using MFA with SMS is better than just relying on your password for authentication. The primary SMS infrastructure runs on an old infrastructure built without a thought toward security, leading to the exploitation of this type of MFA technology. So, it is a step in the right direction to not use SMS as an MFA solution. In addition, organizational users must use MFA for all access. If MFA is not used on all access points, there is still a risk of compromise due to the very common bad practice of password reuse. Time-bound out-of-band authenticators that don’t require transmission to the user as SMS does are a better option and easily implemented.
9. Help in choosing a password: Offering guidance as early as possible in the password selection process is a no-brainer to help users choose a stronger password.
10. Password managers: Providing a password manager application and/or encouraging the use of one can definitely strengthen the overall password strength of the organization. Password managers reduce reliance on memory, encourage better password practices, and protect users against common attacks like phishing and password reuse.

 

What is a High Strength Password?

My concern about NIST’s password recommendations is primarily the combination of not increasing the minimum password length while dropping complexity. Regarding passwords, it is the overwhelming tendency for people to just go with what seems the easiest — the minimum 8-character password with no complexity. Yes, complexity has led to substitutions that haven’t added much to security. However, the use of complexity significantly increases the entropy in authenticators and, in my opinion, should still be used. Below you can see how a combination of length and complexity impacts the effectiveness of a brute force attack.

I recommend using a passphrase in which special characters (e.g. spaces and punctuation) are “normal.” Think of a passphrase over 15 characters (recommend longer for administrators) that is an easy sentence to remember. And without the expiration requirement, you won’t have to change it and remember a new one. Then use the normal punctuation to add complexity. Consider the following examples:

• Yes, I can bake a cake!
• C0l0r@d0 Rules!
• I like cats, dogs, & fish.

The above examples use complexity (capitalization, special characters, numbers, misspelled words not in a dictionary) in ways that are easy to remember and type. Passphrases such as the above are easy to remember, over 15 characters, and include complexity in a way that is natural. Since you aren’t changing your password every 90 days, you’ll get quite adept at typing it in. Then with the addition of non-SMS-based MFA, you’ll add significantly more strength to your authentication process.

Key Takeaways on the Updated NIST Password Guidelines

Until passwordless authentication options are prevalent, passwords will still be the weak link in the authentication process. Improving passwords and authentication techniques is, as it has always been, a timely topic of discussion against the backdrop of the NIST password standards outlined in SP 800-63B. The NIST password standards represent significant departures from the federal password requirements of the past decades. To maintain a level of security with the NIST password policy guidelines the recommendations should not be considered a buffet where you only pick the things you like (e.g. minimum password of 8 characters and no complexity). Other elements such as checking for known bad passwords and throttling need to be implemented concurrently, especially with a minimum password policy of only 8 characters.

Overall, organizations should measure how the NIST password guidelines in SP 800-63B fit with their risk appetite and how they may be able to ease at least some of the burden for their users while still providing an acceptable level of protection. MFA should also be enabled for all authentication interfaces based on an organizational risk decision.

Linford & Company has extensive experience with NIST and associated NIST compliance. If you are interested in learning more about NIST requirements and compliance, please contact us.

This article was originally published on 3/20/2020 and was updated on 10/30/2024.