NIST Challenges Conventional Password Rules with New Proposal

Password policies are a common source of frustration for users and IT admins alike; Regular updates, nonsensical requirements for difficult to remember passwords, and other policies often work to the detriment of cybersecurity rather than enhancing it.

The National Institute for Standards and Technology (NIST) proposed a set of long-overdue changes to password requirements in the public and private sectors in Fall 2024. While the latest version of the agency’s Digital Identity Guidelines runs long and uses often opaque language, it contains several common sense suggestions in what amounts to the first line of security for the internet in general.

Among the proposals:

• No longer requiring composition rules: With modern computing and hacking methods, “G0Y@nkees!” isn’t that much more secure than “GoYankees,” and what’s worse, they’re often harder to remember. Wrong logins can lead to account lockouts and shorter passwords overall.
  

• Doing away with periodic password changes: Conventional wisdom that account passwords should be rotated regularly has proven to be outdated. Requiring regular updates has consistently been found to result in poorer cybersecurity practices, including password re-use, simpler and easier to guess passwords, and greater difficulty logging into accounts.
  
  Unless an account using the same password has been compromised, or an organization itself has undergone a data breach, a strong, difficult to guess, and lengthy password should offer the same protection today that it did yesterday.
  

• Getting rid of password hints: Password hints may be convenient if you’re having difficulty remembering a password, but they more or less defeat the purpose: They’re also giving clues to anyone else on how to connect to your account.
  
  If your password hint is “my first pet,” and you shared the piece of information on social media, e.g., “your first pet’s name and the street you grew up on is your performer name,” you’ve accomplished the digital equivalent of leaving a key under your doormat.
  

• Requiring passwords to be longer: Shorter passwords with numbers and characters might not be more secure, but having long passwords can exponentially increase the difficulty in cracking them. “ThreeLeggedWombatStew” is likely more memorable than “F1d0!” and every additional letter represents an another hurdle for someone without the password to gain unauthorized access. (We recommend using an xkcd password generator for any passwords you aren’t auto-generating with your preferred password manager).

Even if the NIST proposals are all passed, it will still take time before they’re fully implemented. Regardless, it is a welcome update for protecting users and their accounts. Even if your business isn’t held to the same standards as government agencies, it’s worth asking your IT administrator about updating your password standards.

Is your password policy keeping you secure? Nodal can help! Contact us today!