Keep it Long and Don’t Change it Often: NIST Releases New Password Guidelines in 2024

NIST's 2024 New Password Guidelines | NSN Infotech

Heads up!

It looks like using a mixture of character types in your passwords and regularly changing your passwords are no longer part of the best password management practices according to the latest guidelines published by the US National Institute of Standards and Technology (NIST).

In NIST’s latest publication on password guidelines, the organization made several suggestions on what to keep and what to change when forming passwords

 

The longer it is, the better… (in the case of passwords)

NIST no longer recommends mixing different character types when creating a password, such as mixing uppercase and lowercase letters, numbers, and special characters.

Instead, having a password with at least 8 characters is okay but making it 15 characters is highly recommended, with a strong preference for even longer passwords.

 

The updated guidelines emphasize that password length is more important for security now than complexity. A lengthy simply phrase can be much harder to crack than a short but complex one.

 

You don’t have to change your password often

If you don’t have a password manager, thinking of a new password when the “change your password” prompt appears can be troublesome. Regular password changes often lead to weaker passwords as people tend to just make slight changes to their current password. For example, changing Mydog04531 to Mydogiscute04531.

According to the latest guidelines, passwords should only be changed when there’s evidence of compromise.

 

Disallow Common and Compromised Passwords

The new guidelines also suggests for organizations to check passwords against common lists of commonly used or compromised passwords. Having an updated blocklist of weak passwords to prevent users from selecting any from the list is ideal.

 

Here are other key changes and recommendations from NIST’s new guidelines:

  1. No Knowledge-Based Authentication Questions: The guidelines recommend avoiding password hints and knowledge-based authentication questions. These methods are often insecure as the answers can be easily guessed or obtained through social engineering.
  2. Use of Multi-Factor Authentication (MFA): NIST strongly encourages the use of MFA to add an extra layer of security. MFA significantly reduces the risk of unauthorized access, even if a password is compromised.
  3. Throttling Login Attempts: Implementing measures to limit the number of failed login attempts helps to prevent brute force attacks. This ensures that repeated attempts to guess a password are detected and mitigated.
  4. Password Storage: NIST recommends using salted hashing with a work factor for storing passwords. This method makes it computationally expensive for attackers to crack passwords, enhancing overall security.

 

NIST's 2024 New Password Guidelines | NSN Infotech

Check out the full range of NIST’s guidance here:

Share this story

Newsletter

Get exclusive guides, e-books, and tech news for free

Grab your copy

The Ultimate Guide to Reducing Human Cyber Risk

Learn how to boost your organisation’s employee security posture against human error and evolving cyber threats.

Ultimate Guide to Reducing Human Risk in Organizations | NSN Infotech