The National Institute of Standards and Technology (NIST) came with a revision of its standard that no longer recommending using a mixture of character types in passwords or regularly changing passwords
NIST’s (SP 800-63-4) draft password guidelines outlines technical requirements and best practices for password management and authentication.
- It instructs credential service providers (CSP) to stop requiring users to set passwords that use specific types or characters or mandating periodic password changes.
- CSPs were instructed to stop using knowledge-based authentication or security questions when selecting passwords.
- CSPs shall require passwords to be a minimum of eight characters in length and should require passwords to be a maximum of 15 characters in length.
- CSPs should allow passwords of a maximum of at least 64 characters.
- CSPs should allow ASCII and Unicode characters to be included in passwords.
- Password resets should be in the case of a credential breach only. Making people change passwords frequently has resulted in people choosing weaker passwords.
When NIST first introduced its password recommendations (NIST 800-63B) in 2017, it recommended complexity: passwords comprising a mix of uppercase and lowercase letters, numbers. In recent years, NIST has shifted its focus to password length since longer passwords are harder to crack with brute-force attacks and can be easier for users to remember without being predictable.
Public comment on this draft (via email dig-comments@nist.gov) is open until 11:59 pm Eastern Time on Oct. 7.
