New password advice from NIST

If you’ve created an account on any service or web site in the last decade and a half, there’s a good chance you encountered some annoying password rules. The ones that insist on the use of mixed case letters, numbers, and punctuation.

NIST logoThose weird rules started appearing after 2003, when the US National Institute of Standards and Technology (NIST) published a document entitled Electronic Authentication Guidelines (SP 800-63), which included a set of recommendations for password security. If you’re interested, there’s an archived version of the document (PDF), with slightly updated content (Ver. 1.0.1), on the NIST site.

The Electronic Authentication Guidelines document includes recommendations for ensuring the strength of user-created passwords:

  • require a minimum of 8 character passwords, selected from an alphabet of 94 printable characters;
  • require at least one upper case letter, one lower case letter,
    one number and one special character;
  • prevent subscribers from including common words;
  • prevent permutations of the username as a password; and
  • force frequent password changes.

Users faced with these password-creation rules found ways to work around them, and in the process ended up with less secure passwords. Many users modified their existing passwords in very predictable ways, which made the work of guessing passwords much easier.

The author of those password rules now regrets much of what he said in that 2003 document: “In the end, it was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree.” A new version of the NIST document eliminates many of the original recommendations.

NIST now recommends using long passphrases instead of complex passwords, as described in this classic xkcd comic: ‘correct horse battery stapler’ instead of ‘Tr0ub4dor&3’.

NIST’s new recommendations to site and service providers include eliminating requirements for the use of any particular type of character, eliminating password expiry rules, allowing passwords up to 64 characters long, and allowing the use of the clipboard in password fields.

The new rules make a lot of sense. Combined with the use of a good password manager, and remembering to avoid password re-use, they should make anyone who uses them much safer online.



About jrivett

Jeff Rivett has worked with and written about computers since the early 1980s. His first computer was an Apple II+, built by his father and heavily customized. Jeff's writing appeared in Computist Magazine in the 1980s, and he created and sold a game utility (Ultimaker 2, reviewed in the December 1983 Washington Apple Pi Journal) to international markets during the same period. Proceeds from writing, software sales, and contract programming gigs paid his way through university, earning him a Bachelor of Science (Computer Science) degree at UWO. Jeff went on to work as a programmer, sysadmin, and manager in various industries. There's more on the About page, and on the Jeff Rivett Consulting site.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.