NIST: No More Regular Password Resets and Arbitrary Complexity Rules

The latest version of the NIST password guidelines, which is the standard for federal agencies and many enterprises, includes several major changes that will improve security for users and make life easier for IT and security teams. 

The two biggest changes are that, for the first time, NIST is recommending that credential service providers (CSPs) and verifiers not impose arbitrary complexity requirements for passwords and not require password resets at regular intervals. For years, many websites, service providers, and internal IT organizations have adhered to the philosophy that requiring the use of some mixture of letters, numbers, and special characters such as asterisks or ampersands was the way to go. In reality, what ends up happening is that users often wind up defaulting to passwords such as “Macbook2024^” that are easy to remember. And when an organization requires periodic password resets–say every 60 or 90 days–many people will simply change one character in their existing password and go on their way. So “Macbook2024^” becomes “Macbook2024?” and all is well. 

Except that it isn’t. Attackers know as well as anyone how lazy most people are and they count on the fact that users will employ the simplest possible password that meets a requirement. Hence the success of password-spraying and credential-stuffing attacks (not to mention the use of stolen credentials) in recent years. NIST acknowledged this reality as far back as 2017, when the organization removed references to periodic password changes from its guidelines, which are known formally as SP-800-63. And in 2019 Microsoft removed the idea of force periodic password rotation from its security recommendations, too. In the most recent proposed version of the guidelines, which are open for public comment until Oct. 7, NIST goes even further:

• Verifiers and CSPs SHALL NOT impose other composition rules (e.g., requiring mixtures of different character types) for passwords.

• Verifiers and CSPs SHALL NOT require users to change passwords periodically. However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.

Those new requirements, along with the requirement that passwords shall be a minimum of eight characters and should be a minimum of 15 characters and maximum of at least 64 characters, are meant to make things more difficult for attackers. Length is the real obstacle when it comes to password cracking, so using a relatively long phrase as a password can be a good way to go. And since the new NIST guidelines recommend allowing the use of spaces in passwords, that should become easier for more people to do.

CC By-SA license image from Christiaan Colen on Flickr.