https://pages.nist.gov/800-63-4/sp800-63b.html
The National Institute of Standards and Technology (NIST) has proposed a significant overhaul of password policies in its updated Digital Identity Guidelines (SP 800-63-4). These proposed changes aim to simplify password creation and management while strengthening overall security.
One of the most significant changes is the elimination of mandatory password resets. Previously, users were forced to change passwords at regular intervals, often leading to weaker and more easily guessed choices. NIST now acknowledges that strong, randomly generated passwords don’t require frequent resets. In fact, forcing frequent changes can backfire, as users may resort to simpler variations of the same password.
Another proposed change involves scrapping the requirement for specific character combinations (uppercase, lowercase, numbers, special characters). While once considered an improvement, NIST now argues that such rules offer minimal security benefits for long and random passwords. Instead, the updated guidelines call for a minimum password length of eight characters, with a recommendation of 15 characters. Additionally, systems should allow passwords up to 64 characters and accept all printable ASCII characters, including spaces.
Security questions, a once-common verification method, are also on the chopping block. NIST proposes their removal entirely due to their inherent weaknesses.
These proposed changes represent a major shift in password policy recommendations. While not universally binding, the NIST guidelines carry significant weight and are likely to influence password policies across various industries.
The updated guidelines offer a more practical and user-friendly approach to password security, focusing on encouraging strong, unique passwords and eliminating counterproductive practices. This could lead to a significant improvement in overall cybersecurity posture for organizations and individuals alike.