NIST Recommendations Changes to Passwords

The National Institute of Standards and Technology (NIST) is an industry leader in providing recommendations on information security. The institute has been publishing password guidelines since 2017 with its latest release this year. Some of the changes mentioned are controversial but aim to be ultimately beneficial for end-users.

Here are some major changes to password standards from NIST:

Passwords Never Expire

This is one of the most controversial recommendations. NIST suggests removing the password expiration policy altogether. Unless you notice that the password is exposed/compromised or if unusual activity is identified, there is no need to change the password.

The argument is that if a user is aware that the password is required to change after a certain period, they are less likely to use a password that they can remember. Also, users might choose a weak password thinking that it will be changed again soon. Futhermore, if the old password is compromised, there is a probability that the new password is also compromised. When old passwords expire, users tend to create a new password similar to the old password.

Complex Passwords Are No Longer Recommended

Complex passwords with lower case, upper case, letter, number and symbols are not benefiting password standards. The reason behind this is that, people often get frustrated with the complexity and tend to setup a password with minimal complexity. Hence, it can be a weaker password.

Also with highly complex passwords, users tend to forget the passwords easily and more often. Another situation that arises from this is that since it is challenging to remember multiple passwords with complexity, users might end up using the same password for multiple accounts.

Remove Password Security Questions

According to NIST, security questions out there are widespread and limited. People use the same questions and answers in multiple locations and so if a hacker gains access to those security questions, the users could have their information compromised for several online platforms.

In conclusion, NIST emphasizes that the password must be hard to guess but easy to remember.

To read the full NIST password guidelines, click here.

Triella can implement a password policy for your firm to ensure all users are protected. Call us now to get started!

Indika Ekanayake is the Lead Consultant at Triella.  We are a technology consulting company specializing in providing technology audits, planning advice, project management and other CIO-related services to small and medium-sized firms. Indika can be reached at 647.426.1004. For additional articles, go to our blog page. Triella is a VMware Professional Partner, Microsoft Certified Partner, Citrix Solution Advisor – Silver, Dell Preferred Partner, Authorized Worldox Reseller and a Webroot Reseller.

© 2019 by Triella Corp. All rights reserved. Reproduction with credit is permitted.

Share on facebook
Share on twitter
Share on linkedin
Share on pinterest
Follow us
Subscribe to our newsletter