NIST has updated its password security guidelines with six key recommendations that challenge traditional practices:
- Length over complexity: Rather than requiring complex combinations of characters, NIST recommends longer passwords or passphrases. Simple passphrases like “llama-shoehorn-trumpet7” are more secure and memorable than shorter complex passwords, as they avoid predictable patterns users typically follow.
- Accommodate longer passwords: Organizations should support passwords up to 64 characters. While most users won’t need this length, providing flexibility for longer passphrases enhances security.
- Mandatory MFA: Multi-factor authentication is now considered essential, not optional. Microsoft found 99% of breached accounts lacked MFA, making it a critical security measure.
- Reduce password changes: Frequent mandatory password changes often lead to weaker security as users make minimal modifications. NIST recommends only requiring changes when compromise is suspected.
- Screen for compromised passwords: Organizations should check new passwords against databases of known breached credentials to prevent reuse of exposed passwords.
- Eliminate security questions: Traditional password recovery methods using personal information are vulnerable due to social media exposure. NIST recommends secure email recovery links and MFA verification instead.
Read the full guidelines on the NIST’s website.