Heads up!
It looks like using a mixture of character types in your passwords and regularly changing your passwords are no longer part of the best password management practices according to the latest guidelines published by the US National Institute of Standards and Technology (NIST).
In NIST’s latest publication on password guidelines, the organization made several suggestions on what to keep and what to change when forming passwords
The longer it is, the better… (in the case of passwords)
NIST no longer recommends mixing different character types when creating a password, such as mixing uppercase and lowercase letters, numbers, and special characters.
Instead, having a password with at least 8 characters is okay but making it 15 characters is highly recommended, with a strong preference for even longer passwords.
The updated guidelines emphasize that password length is more important for security now than complexity. A lengthy simply phrase can be much harder to crack than a short but complex one.
You don’t have to change your password often
If you don’t have a password manager, thinking of a new password when the “change your password” prompt appears can be troublesome. Regular password changes often lead to weaker passwords as people tend to just make slight changes to their current password. For example, changing Mydog04531 to Mydogiscute04531.
According to the latest guidelines, passwords should only be changed when there’s evidence of compromise.
Disallow Common and Compromised Passwords
The new guidelines also suggests for organizations to check passwords against common lists of commonly used or compromised passwords. Having an updated blocklist of weak passwords to prevent users from selecting any from the list is ideal.
Here are other key changes and recommendations from NIST’s new guidelines:
- No Knowledge-Based Authentication Questions: The guidelines recommend avoiding password hints and knowledge-based authentication questions. These methods are often insecure as the answers can be easily guessed or obtained through social engineering.
- Use of Multi-Factor Authentication (MFA): NIST strongly encourages the use of MFA to add an extra layer of security. MFA significantly reduces the risk of unauthorized access, even if a password is compromised.
- Throttling Login Attempts: Implementing measures to limit the number of failed login attempts helps to prevent brute force attacks. This ensures that repeated attempts to guess a password are detected and mitigated.
- Password Storage: NIST recommends using salted hashing with a work factor for storing passwords. This method makes it computationally expensive for attackers to crack passwords, enhancing overall security.
Check out the full range of NIST’s guidance here: