Cyber Security

New NIST password guidelines a step in the right direction

Promises simplified best practices for passwords.

Paul Mah

Paul Mah

2 min read
New NIST password guidelines a step in the right direction
Photo Credit: Unsplash/Jakub Żerdzicki

Flummoxed by password complexity rules? Thankfully, things could improve soon with the latest NIST password guidelines.

Last week, the NIST released a new draft of guidelines that promises simplified best practices for passwords.

I think it's a fantastic change.

Good riddance to frequent password changes

Specifically, the NIST is no longer recommending the following for passwords:

  • A mixture of character types.
  • Mandating regular password changes.

Instead, it's recommending:

  • Minimum password length of 8 characters; ideally 15.
  • Passwords of up to 64 characters to be allowed.
  • ASCII and Unicode characters to be allowed.

To be clear, password rules are determined by respective IT teams. But the NIST has teeth in the US, and its influence means its guidelines are often adopted globally.

This thing called human nature

(a) I've always been bemused by overdone password complexity rules

  • Must use XX instances of symbols.
  • Must use numbers, capital letters.
  • Can't use repeating characters.

I think a lengthy password is just as good - and far easier to type. Fortunately, it's mostly solved with randomly generated passwords and password managers.

Well, until you come across the occasional app that blocks password managers. And doesn't allow you to copy-and-paste the password. 😭

I'm looking at you, DBS Bank.

(b) Another bugbear is the need to frequently change passwords

For instance, what's the difference between these two passwords?

• KeczmPafHoY13YRUAU1V
• hLJWPTzyex5gFNNrtXjK

If they're both as good, then what's the point of changing them every 30, 60, or 90 days?

And if your password is no good, you're probably doing this, won't you?

• LousyPassword1
• LousyPassword2

So, lots of annoyed users, but no improvement in security.

Protect yourself today

On a more serious note, a good password manager is the bare minimum today and two-factor authentication should be enabled.

Note that multi-factor authentication is no longer iron-clad - attackers have been observed defeating it via AiTM (Adversary-in-The-Middle) attacks.

For better security, biometrics or a physical security dongle is ideal.

  • I use the YubiKey NFC for my smartphone, and
  • a Logitech Brio with Windows Hello for my desktop.

What about you? How do you secure your digital assets?

Read more