NIST Drops Password Complexity, Mandatory Reset Rules

  /     /     /  
Publicated : 23/11/2024   Category : security


NIST Drops Password Complexity, Mandatory Reset Rules


The latest draft version of NISTs password guidelines simplifies password management best practices and eliminates those that did not promote stronger security.



The National Institute of Standards and Technology (NIST) is no longer recommending using a mixture of character types in passwords or regularly changing passwords.
NISTs second public draft version of its password guidelines (
SP 800-63-4
) outlines technical requirements as well as recommended best practices for password management and authentication. The latest guidelines instruct credential service providers (CSP) to stop requiring users to set passwords that use specific types or characters or mandating periodic password changes (commonly every 60 or 90 days). Also, CSPs were instructed to stop using knowledge-based authentication or security questions when selecting passwords.
Other recommendations include:
CSPs shall require passwords to be minimum of eight characters in length and should require passwords to be a minimum of 15 characters in length.
CSPs should allow passwords of a maximum of at least 64 characters.
CSPs should allow ASCII and Unicode characters to be included in passwords.
When NIST first introduced its password recommendations (NIST 800-63B) in 2017, it recommended complexity: passwords comprising a mix of uppercase and lowercase letters, numbers, and special characters. However, complex passwords are not always strong (i.e., Password123! or q1@We3$Rt5). And complexity meant users were making their passwords predictable and easy to guess, writing them down in easy-to-find places, or reusing them across accounts. In recent years, NIST has shifted its focus to password length, since longer passwords are harder to crack with brute-force attacks and can be easier for users to remember without being predictable.
NIST also is now recommending password resets in the case of a credential breach only. Making people change passwords frequently has resulted in people choosing weaker passwords. When passwords are sufficiently long and random, and theres no evidence of a breach, making users change it could potentially lead to weaker security.
The difference with this draft is the shift in language. Previous versions used the words should not while this draft says shall not, which means the rule has moved from a suggestion to an actual requirement.
Verifiers and CSPs SHALL NOT impose other composition rules (e.g., requiring mixtures of different character types) for passwords and
Verifiers and CSPs SHALL NOT require users to change passwords periodically. However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
Public comment on this draft (via email [email protected]) is open until 11:59 pm Eastern Time on Oct. 7.

Last News

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
NIST Drops Password Complexity, Mandatory Reset Rules