NIST Password Guidelines: Evolving for Better Security

| Posted on |

NIST Password Guidelines Evolving for Better Security

Digital security is of the utmost importance today, and the National Institute of Standards and Technology (NIST) has a vital part to play in this field. They help shape the “best practices” we all need to follow in the digital world. When it comes to cybersecurity, not adhering to NIST recommendations could be analogized to not following the advice of your doctor when it comes to your health.

What are the Recent Updates to NIST Password Guidelines?

Recently, NIST updated its policy recommendations for password management. Why? Well, NIST says cybersecurity threats are evolving. More importantly, though, NIST thinks we—the users—are now behaving in ways that make us much less secure than we could and should be.

Elimination of Special Characters Requirement

One notable development in the recently revised NIST password guidelines is the elimination of the requirement to use special characters. The new recommendation is to use common words and to create “passphrases” of 12 to 16 characters. We’ve known for some time that most users don’t really understand the science behind password strength. 

Because of that, they often resort to inane strategies (like writing them down) or weave basic insecurity into their daily practices (like using the same password for multiple accounts). Some research has shown that the average human brain can barely hold onto 4 to 7 bits of secure information. 

So if we use those as standard terms of password military policy, then using 16 bits (or characters) in a basic passphrase (with few numbers and no special characters) gives you across-the-board presidential security for your accounts.

Passphrases: The New Preferred Method

NIST’s revised directives recommend the use of passphrases as a preferred method for password creation. A passphrase is a remembrance aid that one can easily commit to memory but that is so complex and unexpected that it cannot be guessed. 

Phrases like “Don’t let the blue sky fool you; it’s a sunset kind of day” and “Sunsets are so beautiful, they should be in every password” demonstrate a more recent tactic to maximize both the length and the complex simplicity of one’s passphrase. 

Unlike a traditional password that would benefit from a mnemonic device, a passphrase is an adequate substitution for a standard, simple, direct, and easily remembered password.

Changes in Password Change Requirements

NIST used to say that organizations should make their users change passwords regularly. That was supposed to enhance security. However, NIST has now reconsidered that advice and has come up with something quite different. The new guidelines state that the organizations should not require password changes at regular intervals. 

In fact, NIST now suggests that the organizations really shouldn’t require any password changes unless there’s some evidence that a compromise has occurred. And the reasoning behind that is interesting. 

The thinking now is that, if you’re forced to change all your passwords at regular intervals (and do so in a way that you don’t lapse into using the same password for two different times), you will end up with crappier passwords. And this line of thinking takes a serious look at what it means to have security and to have usability.

What is the Role of Password Managers?

The National Institute of Standards and Technology (NIST) has been working for several years to hone its password policies. The NIST is responsible for issuing guidelines that we, as a society, use to establish security

They have come to appreciate the important role that password managers play in helping us manage our passwords in a way that “brings bodies back into alignment.” Any tool that helps us generate, store, and remember complex passwords is a good tool. And these days, a good password manager is a necessary part of a smart individual’s security regimen.

Implementing NIST’s Revised Recommendations

Ensuring the security of an organization’s systems and data means complying with the revised recommendations of NIST’s password policies. These newest NIST policies call for a two-pronged approach:

  1. The use of long, “passphrase-like” passwords, with an emphasis to “use a proper amount of time to [memorize] and practice using the passphrase,” instead of using shorthand for whom or what the password is.
  2. The organization of passwords so that they are changed, moved, or altered from time to time, using time-frame criteria that are adjusted to “keep the human in the loop.”

These two recommendations mean not going back to the bad old days of using easily guessed or remembered “substitution” keys. Organizations would be better off allowing users to periodically change passwords across all platforms and systems, with adjustments for “significant timeframes” when a security breach is suspected.

Cultivating a Security-Aware Workplace

In addition to changing policies, organizations must cultivate a security-aware workplace. For that, they must educate their employees. “They can and must learn,” said Elkind. She and others recommend that organizations hold regular training sessions and maintain “security ever-present in the minds of all employees.” 

These sessions should include discussions of the kinds of social engineering schemes that might be used to trick a person into surrendering a password or some other valuable piece of information. It’s hard to put a number on how much value in “cybersecurity insurance” training might provide; estimates have ranged from $400 million up to more than $1 billion each year.

Manage Your Passwords With These New Guidelines

NIST’s recent revision of its password policy recommendations represents a significant shift in the approach to managing passwords. NIST now emphasizes that users should create long passwords rather than complex ones and that they shouldn’t be asked to change their passwords periodically. 

We can be hopeful that this shift brings us a step closer to a usable and secure password management scheme, but as always, it will be up to individuals and organizations to implement the new guidelines.

C Solutions IT comprehends the intricate nature of cybersecurity and the whirl it can put clients into. We are dedicated to steering our clients through these changes, which is what prompted us to write this article. The security guidance we provide stems from the latest recommendations from NIST, the National Institute of Standards and Technology, which is a U.S. federal agency that develops national technical standards and guidelines. 

If you need help managing your passwords and account security, contact us today for assistance.