New NIST Password Guidelines
Recently the National Institute of Standards and Technology (NIST) released updated best practices for creating passwords. Surprisingly, NIST’s recommendations fly in the face of what we’ve been taught for a long time about creating strong, secure passwords. But these best practices are also aimed at minimizing the frustrations of users who get into bad habits when required to use many difficult to remember passwords.
- Simplicity is in…but make it long! Skip the special characters, numbers, and random capitalization. Instead, make ithe password long. Develop a passphrase that’s more like a sentence, because longer is stronger.
- Don’t change it all the time. Relax rules that require passwords to be frequently changed, as those rules create a lot of frustration and cause people to reuse passwords across multiple accounts.
- Screen new passwords. The emphasis is now on creating longer-is-stronger and simpler to remember passwords. But new passwords should also be screened to make sure they’re not on lists of breached accounts, dictionary words, context-specific (e.g. containing the name of the software or account), and so on.