I recently discussed why going passwordless is the future of security, yet many organisations and technologies still need time to adjust. Passwords remain popular today and may remain used for some time to come; NIST guidelines in Special Publication 800-63B aim to balance security with usability and practical implementation.
Many organisations don't know what their current guidelines are, requiring users to change passwords every 90 days while demanding uppercase, lowercase, numbers and special characters - it might be time for an update!
With the publication of NIST Special Publication 800-63B, the agency made an avowed shift: abandon punitive rules in favor of practical strategies grounded in evidence to strengthen security and enhance user experience. Specifically, under this new guidance:
In short, longer, memorable passphrases are in.
Complicated, hard-to-remember strings like “dU23*&$nmH2*” are out.
NIST recommends encouraging users to create memorable passwords instead of forcing them into creating untraceable, obscure combinations. They encourage longer passwords using simple language, a passphrase like:
...is easy to remember and difficult for others to guess; making it highly secure compared to short, complex passwords.
Password security relies on entropy - or the total number of combinations possible - with longer passwords with simpler components offering much higher entropy than shorter, complex ones.
NIST has made one surprising change to its recommendations; no longer require regular password changes.
Frequent password resets often result in predictable patterns. Users increment numbers or switch letters as part of unsafe reuse habits. Instead, it would be wise to leave passwords alone until there's reason to believe they have been compromised. Long, strong passphrases combined with modern tools like monitoring and MFA can increase security levels significantly.
Another major change to NIST guidance is their new emphasis on screening passwords against known breach data and patterns, including rejecting:
Many enterprise tools - and free services like HaveIBeenPwned - provide automated password filtering capabilities to automate this process.
NIST highlights the significance of modern self-service password reset (SSPR) workflows. Rather than forcing users to contact helpdesk or answer outdated "What is your mother's maiden name?" questions. For effective implementation, organisations should:
These all should be employed accordingly to reduce support costs, empower users and align with Zero Trust principles.
Even the strongest password can be compromised. That’s why MFA remains non-negotiable.
NIST encourages the use of MFA tools that can withstand phishing attacks - like hardware tokens, authenticator apps or biometric tools. While SMS-based MFA is still better than nothing, its less-than-optimal performance leaves itself vulnerable to interception and spoofing; when possible opt for stronger second factors.
It's time to rethink password security! The NIST guidelines offer a practical, modern framework that better represents how people actually use technology today. By emphasising longer passphrases, enabling self-service tools, eliminating forced resets and layering MFA, organisations can secure themselves without burdening users with obsolete complexity.
If your password policy hasn't changed in five years, now is the time to do so. Security shouldn't just mean ticking boxes; rather, it should involve taking thoughtful approaches that address real threats while remaining user-centric.
CNS can assist your organisation with creating and implementing password security guidelines, and more.
Here's a summary of the key password related recommendations from NIST SP 800-63B:
As certified IT security experts, we can help you fortify your defences, uphold regulatory compliance, improve your company's security posture and proactively maintain your servers and networks to protect you from evolving cyber risks.