Changing How We Think About Passwords – NIST Changes

For years, government guidelines have forced us to have a long password that was very complex that you have to change every year.  As of today, the current NIST (National Institute of Standards and Technology) guidelines follow this methodology.  But this could soon change.  Thanks to several studies that produced surprising results, NIST is about to drastically revise its recommendation for password complexity.  Key characteristics of a “strong” password, such as long password length, complexity and frequency of change are about to be thrown out.

The new proposed revision draft, based on hard evidence will:

  • Remove Periodic Password Change requirements
    • That’s right it turns out that studies have shown that this is counterproductive to a strong password program. Imagine that… only having to change your password when a user wants to or a breach is indicated.
  • No more complexity $#!@#*&.
    • Studies have now shown that this is the main cause for users to write passwords down in unsecure areas. NIST says that “If a user wants to have all emojis as their password they should be able to”
  • NIST will propose Required screening of new passwords against a list of known compromised passwords
    • Screening passwords against a list of dictionary words and known compromised passwords is the best way to ensure a strong password
    • NIST Paul Grassi states:
      • “We look forward to a day in the near future when technology, culture, and user preference allows these requirements to be more broadly accepted. That said, we reviewed a lot of research in the space and determined that composition and expiration did little for security, while absolutely harming user experience. And bad user experience is a vulnerability in our minds,”

Before we all get excited about these NIST changes, realize that, now that the window for public comment is over, there is still a several months’ long approval process.  It could be late 2017 or early 2018 before this new guideline is adopted, and several months after that before a Prime Contract acknowledges this new methodology.  Until then complexity is still the rule of the land.

To read the proposed NIST Changes see the link below.

NIST Special Publication 800-63B - Digital Identity Guidelines


Need help finding ways to reduce business costs? Our FREE eBook has the answer.Learn more here