Using a mixture of character types in your passwords and regularly changing passwords are officially no longer best password management practices according to new guidelines published by the US National Institute of Standards and Technology (NIST).
What is NIST?
When it comes to cybersecurity, NIST is a prominent and authoritative voice. This U.S. based government agency develops and issues guidelines to help organizations safeguard their information systems.
NIST’s cybersecurity recommendations are widely adopted across both the private and public sectors, influencing how businesses and individuals protect their data. A key aspect of their guidelines pertains to password policies.
The new guidelines were published in September 2024 as part of NIST’s second public draft of SP 800-63-4, the latest version of its Digital Identity Guidelines.
The Shift in Password Recommendations
For years, conventional wisdom advocated for passwords that were highly complex, combining upper and lower case letters, numbers, and symbols. This complexity was thought to make passwords harder to guess or crack through brute force attacks.
However, these complex requirements often led to users adopting poor habits, such as reusing passwords or choosing overly simple ones that barely met the criteria, like “P@ssw0rd123.’
Over time, NIST found that this focus on complexity was counterproductive and actually weakened security in practice.
Why the Focus on Length Over Complexity?
In its latest guidance, NIST has moved away from enforcing complexity rules in favor of encouraging longer passwords. There are several reasons for this shift:
User Behavior
Studies revealed that users often struggle to remember complex passwords, leading them to reuse passwords across multiple sites or rely on easily guessable patterns, like replacing letters with similar-looking numbers or symbols.
Further fueling this behavior was the requirement by many organizations to change your password every 60 to 90 days, which NIST no longer recommends.
Password Entropy
Password strength is often measured by entropy, which is a measure of unpredictability. In other words, the number of possible combinations that can be created using the characters in a password. The higher the number of combinations, or entropy, the more difficult it is for attackers to crack the password through brute-force or guessing methods.
While complexity can contribute to entropy, length plays a much bigger role. A longer password with more characters has exponentially more possible combinations, making it harder for attackers to guess, even if the characters themselves are simpler.
The Human Element
Long passwords that are easy to remember, such as passphrases made up of several simple words. For example, “big dog small rat fast cat purple hat jello bat” in password form, so minus the spaces, “bigdogsmallratfastcatpurplehatjellobat” is both secure and user-friendly. A password like this strikes a balance between high entropy and ease of use, ensuring users don’t resort to insecure behaviors like writing down passwords or reusing them.
Length Matters
While complexity can contribute to entropy, length plays a much bigger role. A longer password with more characters has exponentially more possible combinations, making it harder for attackers to guess, even if the characters themselves are simpler.
Further, advances in computing power have made it easier to crack short, complex passwords. However, even sophisticated algorithms struggle with lengthy passwords due to the sheer number of possible combinations.
In recent news, New York City Mayor Eric Adams announced a change from a 4-digit to a 6-digit passcode on his personal smartphone before turning it over to law enforcement. I wrote about how this change could prevent (for now) law enforcement from cracking the passcode on Adams’ smartphone.
This two digit addition to the passcode by Adams changed the possible combinations from 10,000 to 1,000,000. In their new recommendation, NIST emphasizes allowing users to create passwords up to 64 characters in length.
A 64 character password using only lowercase letters and real words would be extremely difficult to crack. If capitalized letters and symbols are included, cracking the password would be close to mathematically impossible.