NIST proposed password updates: What you need to know

This article will be updated over time as NIST password requirements continue to evolve.

The latest draft of the National Institute of Standards and Technology (NIST) password guidelines aims to simplify password management by eliminating outdated practices and providing clearer guidance on best practices.

NIST password guidelines: A primer

Before we jump into the breakdown of the NIST requirements, it’s worth understanding the language NIST uses when defining password requirements.

• Verifiers: The entity that verifies a user’s identity based on possession or control of an authenticator (a password, for example).
• Credential service provider (CSP): The entity responsible for registering passwords to subscriber accounts (this may be a third party).
• Authenticator: The item used to authenticate a subscriber to an account (such as a password or passkey).

Password length and complexity requirements

• Verifiers and CSPs SHALL require passwords to be a minimum of eight characters in length and SHOULD require passwords to be a minimum of 15 characters in length.
• Verifiers and CSPs SHOULD permit a maximum password length of at least 64 characters.
• Verifiers and CSPs SHOULD accept all printing ASCII [RFC20] characters and the space character in passwords.
• Verifiers and CSPs SHOULD accept Unicode [ISO/ISC 10646] characters in passwords. Each Unicode code point SHALL be counted as a single character when evaluating password length.
• Verifiers and CSPs SHALL NOT impose other composition rules (e.g., requiring mixtures of different character types) for passwords.

The first handful of updates are focused on password creation and associated requirements. In terms of password complexity and length, the updated guidance prioritizes password length over the arbitrary complexity provided by requiring a combination of characters, special characters, and numbers. It should be noted that the minimum guidance for password length (eight characters) should still be considered a “weak” password, and 1Password’s password length guidance is that passwords should be a minimum of 20 characters where possible.

While the requirement for special is gone, the updated guidelines also provide a path for increasing the types of characters that can be used when creating passwords. When combined with long passwords, the addition of accepting all ASCII characters (including symbols like !, @, &), Unicode (including characters not used in English like Á, Ü, Ķ), as well as the space character, increases the total number of acceptable characters that can be used, and therefore increases the difficulty in cracking passwords.

Password rotation requirements

• Verifiers and CSPs SHALL NOT require users to change passwords periodically. However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.

NIST has recommended for years that organizations remove the requirement that users periodically rotate their passwords. Requiring password updates every few months is a practice that has been shown to actually hurt password strength, as it encourages users to create easy-to-remember passwords that are updated with minimal changes. This latest update strengthens the language to “SHALL NOT” require, emphasizing the need to retire this dated practice. The only exception is when there is evidence that a password or credential has been compromised, in which case a forced update is required.

Security questions and hint requirements

• Verifiers and CSPs SHALL NOT permit the subscriber to store a hint that is accessible to an unauthenticated claimant.
• Verifiers and CSPs SHALL NOT prompt subscribers to use knowledge-based authentication (KBA) (e.g., “What was the name of your first pet?”) or security questions when choosing passwords.

Account creation often requires users to select from a variety of security questions that can be used to recover an account should a password be forgotten. The latest NIST guidelines recommend doing away with these requirements, as well as provide direction that password hints not be stored anywhere that is accessible to an unauthorized party.

Password verification requirements

• Verifiers SHALL verify the entire submitted password (i.e., not truncate it).

Truncating passwords is a practice that often occurs when a verifier shortens and verifies a password at the time of authentication. While this often is a result of technical limitations, such as storage needs, only verifying a subset of a full password (eight of 20 characters, for example) inherently weakens the security of the user.

Use 1Password to meet NIST password requirements

NIST has long encouraged the use of password managers as a best practice as it relates to password security:

Verifiers SHALL allow the use of password managers. Verifiers SHOULD permit claimants to use the “paste” functionality when entering a password to facilitate their use. Password managers have been shown to increase the likelihood that users will choose stronger passwords, particularly if the password managers include password generators [Managers].

1Password Enterprise Password Manager helps organizations meet the above guidelines in a variety of ways:

• Easily set password requirements, including minimal character count.
• Store and manage passwords for every login.
• Easily sign-in to any account from any device, from any location.

Get started securing passwords today with a free 14-day trial.

1Password