NIST publishes new password security guidelines

NIST has updated its password security guidelines with six key recommendations that challenge traditional practices:

  1. Length over complexity: Rather than requiring complex combinations of characters, NIST recommends longer passwords or passphrases. Simple passphrases like “llama-shoehorn-trumpet7” are more secure and memorable than shorter complex passwords, as they avoid predictable patterns users typically follow.
  2. Accommodate longer passwords: Organizations should support passwords up to 64 characters. While most users won’t need this length, providing flexibility for longer passphrases enhances security.
  3. Mandatory MFA: Multi-factor authentication is now considered essential, not optional. Microsoft found 99% of breached accounts lacked MFA, making it a critical security measure.
  4. Reduce password changes: Frequent mandatory password changes often lead to weaker security as users make minimal modifications. NIST recommends only requiring changes when compromise is suspected.
  5. Screen for compromised passwords: Organizations should check new passwords against databases of known breached credentials to prevent reuse of exposed passwords.
  6. Eliminate security questions: Traditional password recovery methods using personal information are vulnerable due to social media exposure. NIST recommends secure email recovery links and MFA verification instead.

Read the full guidelines on the NIST’s website.

Share this article on social media:

Subscribe to Our Newsletter!

Stay on top of cybersecurity risks, evolving threats and industry news.

This field is for validation purposes and should be left unchanged.

Recent News

Featured Services

The Latest Cybersecurity News

From major cyberattacks, newly discovered critical vulnerabilities to recommended best practices, read it here first:

BOOK A MEETING

Enter your Email Address

This field is for validation purposes and should be left unchanged.

* No free email provider (e.g: gmail.com, hotmail.com, etc.)

This site is registered on wpml.org as a development site. Switch to a production site key to remove this banner.