NIST has released guidelines for password security, outlined in document 800-63B. While similar to previous guidelines, some aspects have been changed. Many may be familiar with the idea of setting complex passwords with a mix of lowercase, uppercase letters, numbers, and special characters. However, NIST now recommends passwords to be at least 8 characters long, with a suggestion of 15 characters. Research by NIST indicates that longer passwords are more secure than ones with a mix of characters.
Another change proposed by NIST is the frequency of password changes. Instead of mandating regular password changes based on a set timeframe, NIST suggests enforcing password changes only when there is evidence of a data breach. Additionally, organizations are advised to maintain a list of blocked passwords to prevent the use of weak or compromised passwords.
NIST also advises against using knowledge-based authentication questions, such as asking for the name of your first pet, as they are vulnerable to social engineering attacks. Instead, encryption with salt and other factors that increase the cost of attacks are recommended.
In summary, the latest NIST guidelines for password management include requiring passwords to be a minimum of 8 characters in length, with a suggestion for 15, allowing for a maximum length of 64 characters, accepting various character types, and avoiding periodic password changes unless there is evidence of compromise.
TLDR: NIST updates password guidelines to focus on length rather than complexity, discourages frequent changes, and advises against using knowledge-based authentication questions for enhanced security.
Leave a Comment