A new update to the National Institute of Standards and Technology (NIST) password security guidelines now recommends longer passwords over the previous focus on using a mix of uppercase and lowercase letters, numbers, and special characters. While using multiple character types makes the password more complex, it often results in predictable patterns, which weakens security. The reason for this is simple: people need passwords they can easily remember, and creating a unique, random password for every account is difficult without using a password manager or a random password generator. As a result, people tend to rely on shortcuts, creating less secure passwords.
The updated NIST guidelines aim to simplify password management and remove ineffective security measures. The changes reflect a shift from recommendations to clear instructions, as indicated by the use of “shall” and “shall not” instead of the previous “should” and “should not.” This represents a stronger emphasis on compliance rather than suggestion. Healthcare providers would need to include these updates in their HIPAA training requirements and data management guidelines.
According to the updated guidelines (SP-800-63-4), cloud service providers (CSPs) and verifiers must now require passwords to be at least 8 characters long, though NIST recommends a minimum of 15 characters. Users should also be allowed to create passphrases as long as 64 characters. Although complexity requirements such as a mix of character types are not enforced any longer, NIST advises permitting all printable Unicode characters, ASCII characters, and spaces in passwords.
NIST has also dropped its previous recommendation for mandatory periodic password changes. Enforcing frequent password updates can lead to users creating weaker passwords by making predictable changes to their existing passwords. Password changes should now only be required if there is evidence of a security breach. In such cases, service providers should suspend or invalidate the compromised credentials and offer alternative methods for users to regain account access.
Other important updates include the removal of knowledge-based password clues, like the name of a pet or a mother’s maiden name, because these are easily exploited using social engineering tactics. Subscribers should not be allowed to store hints that can be accessed by unauthorized users. NIST recommends that CSPs reauthenticate users once every 30 days and verify the full password when users attempt to log in.
While the guidelines no longer enforce password complexity, NIST suggests using a blacklist to prevent the use of weak or commonly used passwords. The guidelines also emphasize the importance of enhancing security through two- or multi-factor authentication, which should be implemented as much as possible.
NIST is getting feedback from the public regarding the draft guidelines up to October 7, 2024.