The National Institute of Standards and Technology (NIST) is no longer recommending using a mixture of character types in passwords or regularly changing passwords as part of best practices for managing passwords.
NIST’s second public draft version of its password guidelines (SP 800-63-4) outlines technical requirements as well as recommended best practices for password management and authentication. The latest guidelines suggest that credential service providers (CSP) stop requiring users set passwords that use specific types or characters and stop mandating periodic password changes (commonly every 60 or 90 days). Also, CSPs should stop using knowledge-based authentication or security questions when selecting passwords.
Other recommendations include:
-
Passwords should be of a minimum of 15 characters
-
CSPs should allow passwords of a maximum of at least 64 characters
-
CSPs should allow ASCII and Unicode characters to be included in passwords
When NIST first introduced its password recommendations (NIST 800-63B) in 2017, it recommended complexity: passwords that were a mix of uppercase and lowercase letters, numbers, and special characters. However, complex passwords are not always strong (see ‘Password123! or ‘q1@We3$Rt5’). And complexity meant users were doing things like making them predictable and easy to guess, writing them down in easy-to-find places, or reusing them across accounts. In recent years, NIST has shifted its focus to password length, since longer passwords are harder to crack with brute-force attacks and can be easier for users to remember without being predictable.
NIST also started recommending password resets only in the case of a credential breach. Making people change passwords frequently was resulting in people choosing weaker passwords.
https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/bltf9a51ec96fc30194/66f54fa7521f3062d487c7d7/passwordmanager_Vitalii_Vodolazskyi_shutterstock.jpg?disable=upscale&width=1200&height=630&fit=crop
