The National Institute of Standards and Technology (NIST) is in the process of finalizing Special Publication 800-63-3: Digital Identity Guidelines, which provides new guidance revising its long-standing best practices for system password characteristics.
New Best Practices
Instead of needing to change passwords frequently and requiring them to meet complexity requirements—such as using symbols and different cases—as the established guidelines have suggested for years, the new framework recommends creating passwords that:
- Use a long string of random words that can be remembered by the user
- Exclude repetitive or sequential characters and numbers
- Are screened against a list of commonly used or compromised passwords
- Aren’t changed, except in the event of a system breach or cyber incident
The new guidance also suggests dropping the practice of password hints triggered by questions asking the user specific types of personal information, such as: What was the name of your elementary school?
The previously established password security guidelines set by NIST have unintentionally resulted in unsecure password practices. By needing to regularly generate new, complex passwords, users have tended to create common, easily remembered, and easily guessed passwords instead.
The idea behind the new guidance is to reduce this practice and make it easier for end users to create and maintain fewer and more secure passwords.
While the new changes to password security practices will likely help reduce the number of easily preventable security breaches, it’s important to remember that even the most secure passwords can become compromised. Cyber attackers can still get around strong passwords through the use of phishing attacks, phone-based impersonations, and other social engineering techniques—all of which require vigilance and strong internal controls to deter.
We're Here to Help
For more information about improving your organization’s IT security, or if you’d like help determining what the implications of the new NIST guidance are for your business, contact your Moss Adams professional or visit our cybersecurity services page.