NIST New Passwords Guidelines

Recently, National Institute of Standards and Technology(NIST), the federal body that sets technology standards for governmental agencies, standards organizations, and private companies, released its second public draft of SP 800-63-4, the latest version of its Digital Identity Guidelines.

It sets both the technical requirements and recommended best practices for determining the validity of methods used to authenticate digital identities online. Organizations that interact with the federal government online are required to be in compliance.

In this guideline, the HIST has proposed barring some of the most vexing and nonsensical password requirements, including: mandatory resets, required or restricted use of certain characters, and the use of security questions.

One major update is that the new rules bar the requirement that end users periodically change their passwords. This "Mandatory Resets" requirement came into being decades ago when password security was poorly understood, and it was common for people to choose common names, dictionary words, and other secrets that were easily guessed. But now, most services require the use of stronger passwords made up of randomly generated characters or phrases. When passwords are chosen properly, the requirement to periodically change them, typically every one to three months, can actually diminish security because the added burden incentivizes weaker passwords that are easier for people to set and remember.