Updated NIST Password Guidelines 2024
Your password is your first (and often only) line of defense between attackers and your data. Unfortunately, many of us aren't as diligent when it comes to creating a password that actually protects the dozens of applications we use every day.
How bad is the problem?
- Roughly 37% of people are still sharing their passwords with others. (Security.org)
- The most common password is "123456" (Readers Digest)
- Only 12% of people utilize unique passwords across applications (LastPass)
In order to protect yourself and the organization you work for, password security must always be at the top of mind. However, as the threat landscape changes, our password guidelines must evolve to reflect that.
Let's take a look at NIST's updated password guidelines to see what has changed and how you should craft your own password policy.
NIST Password Guidelines Update
The National Institute of Standards and Technology (NIST) has updated its guidance surrounding password policies to eliminate practices that didn't contribute to overall security. Here are the two biggest changes:
- Credential Service Providers (CSPs) should no longer recommend passwords using several character types.
- CSPs should stop mandating periodic password changes unless there is proof that it has been compromised.
These changes represent quite the departure from previous guidelines and suggestions. It was generally thought that complexity meant security, however that is not always the case. Many will mistake adding "!" or "_" to their password as "complex" when it really just makes it easier to crack. For example, "Password123!" is technically considered complex. It utilizes three different types of characters, however a password like this would take seconds to crack by an experienced threat actor. Additionally, as passwords became more complex, they also became harder to remember. This leads to users writing down their passwords in easy to find places or using the same password across multiple applications. This is why NIST emphasizes password length rather than complexity.
The other big change instructs CSPs to no longer require routine password changes. It was typically recommended that users change their passwords every 30-90 days. Now, NIST recommends only changes password when there is evidence of compromise. When forced to change passwords every 30-90 days, users would inevitably choose weaker passwords. NIST now claims that when a password is strong there is no need to change it as this could lead to overall weaker security.
CorpInfoTech, a managed service provider (MSP), located in Charlotte, NC can help your organization pursue greater password security. Through our managed service offering, we are able to help you design, implement, and maintain a robust cybersecurity plan that includes password policies meant to protect your most private data.
A To learn more about how CorpInfoTech can protect your business, contact us today!