Surprising New Password Guidelines from NIST

National Institute of Standards and Technology (NIST) just finalized new draft guidelines, substantially revising password security recommendations and upending many of the standards and best practices security professionals use when forming policies for their companies.

First some background, in 2014 National Institute of Standards and Technology (NIST) released version 1.0 of their Framework for Improving Critical Infrastructure Cybersecurity, known as the NIST CSF. This framework sought to provide guidance and cybersecurity best practices for private sector organizations. Now the NIST is in the process of finalizing version 1.1 of this framework and it has some long overdue changes in it when it comes to recommendations for best practices around user password management.

The new framework recommends, among other things:

  • Remove periodic password change requirements
    This is one that legions of corporate employees forced to create a new password every month will surely be happy about. There have been multiple studies that have shown requiring frequent password changes to actually be counterproductive to good password security, but the industry has doggedly held on to the practice. Hopefully, these new recommendations will change that.
  • Drop the algorithmic complexity song and dance
    No more arbitrary password complexity requirements needing mixtures of upper case letters, symbols and numbers. Like frequent password changes, it’s been shown repeatedly that these types of restrictions often result in worse passwords.
  • Require screening of new passwords against lists of commonly used or compromised passwords
    This is one near and dear to our hearts here at PasswordPing. One of the best ways to ratchet up the strength of your users’ passwords is to screen them against lists of dictionary passwords and known compromised passwords.

All three of these recommendations are things we have been advising for some time now and the PasswordPing Password Strength Meter was purpose built to make implementing the third item a trivial task.

While it wasn’t explicitly mentioned in the new NIST framework, we contend that another important security practice is periodically checking your user credentials against a list of known compromised credentials, something we can also help with. We predict this will show up in version 1.2 of the framework. 🙂