NIST Password Guidelines as per Recent Update (Aug’24)

Meeba Gracy

Meeba Gracy

Nov 27, 2024
NIST password guidelines

Passwords have always been a contentious topic, both within the cybersecurity world and among everyday users.

Let’s face it: no one enjoys understanding the maze of complex rules or changing passwords regularly just because the calendar says so. 

Over the years, these frustrating requirements have led to poor password practices—think sticky notes, password123, or reusing the same login across platforms. The result? A breeding ground for compromised passwords and data breaches.

The National Institute of Standards and Technology (NIST) has provided refreshed guidance designed to simplify password management while improving security. These updates, outlined in NIST Special Publication 800-63B, reflect a fundamental shift away from outdated, counterproductive practices toward user-friendly, research-backed solutions.

The guidelines are evolving once again with the release of the Second Public Draft of NIST SP 800-63B-4 in August 2024. While primarily targeted at federal agencies, these standards have become the de facto benchmark for password security thanks to their comprehensive research, rigorous review process, and universal applicability.

Let’s unpack what’s new and why it matters.

TL;DR
NIST SP 800-63 was published and revised in 2017; however, the most recent revision to this guideline was made in August 2024, and stakeholder comments are being accepted. 
Some of the recommendations from the list created by NIST apply to previously used, and in fact, most of them were just suggestions. The change now in question seeks to make these guidelines requirement where some standard on password security is prescribed for organizations.
The new standard proposed by NIST norms implies that it is no longer necessary to require the password change every 90 days, but it is necessary to change the password only if it has been leaked in a data breach.

Why NIST password guidelines are crucial?

NIST password guidelines protect your information assets and comply with security standards requirements. They represent a set of internationally recognized best practices endorsed worldwide to enhance cybersecurity.

NIST SP 800-63-3 password guidelines are important as the number of password-cracking attempts increases. When attackers gain valid credentials, they can access your systems and escalate their privileges to an administrator or superuser level, resulting in a security breach.

NIST password guidelines

This breach can have severe consequences, from compromising your organization’s security posture to damaging your reputation and financial stability. To avert this, passwords serve as the first line of defense against cyber threats. Following the NIST SP 800-63-3 guidelines fortifies your information security infrastructure.

At a Glance: Updated NIST Password Guidelines for CSPs

The August 24th release of NIST password guidelines introduces a more flexible and user-friendly approach to password security, focusing on both length and complexity. Here’s what you need to know:

What to Do:

  • Password Length: A password should be at least 8 characters long and preferably 15 characters. This is because passwords can be cracked, and the longer the password, the longer it takes to crack the code.
  • Allow Flexibility in Length: You can go up to 64 characters for passwords thus providing users with the opportunity to create a more complex password.
  • Character Options: More password entropy, meaning the passwords should also be able to accept space and all printable ASCII characters.
  • Unicode Support: Passwords should also allow Unicode characters, which helps users include characters from different languages. Each Unicode character counts as one towards the total password length.

What to Stop:

  • Arbitrary Complexity Requirements: Eliminate unproductive, rigid guidelines that currently include having to type both lower and upper case, numbers, and symbols. Most of the time they don’t offer protection and are incredibly annoying to the users.
  • Periodic Password Resets: Don’t force users to change passwords at regular intervals unless there is evidence of a security breach. Requiring constant resets can lead to weaker passwords over time.
  • Password Hints: Stop allowing users to store password hints that could potentially be exposed to unauthorized users.
  • Security Questions: Stop relying on outdated security questions like “What was the name of your first pet?” These are easy for attackers to guess or find out through social engineering.
  • Truncating Passwords: Always verify the entire password, not just part of it. This ensures that users’ full password strength is considered during authentication.

Get NIST compliant on a budget

NIST password guidelines

These password best practices from NIST SP 800-63-3 guidelines don’t just emphasize the strength of passwords but also consider the behavior of the individuals creating these passwords while recommending a fortifying method.

NIST proposes that you need to clearly communicate to users how to do so and explain the requirements, like having passwords of at least 15 characters, with the option for up to 64 characters for passphrases. 

Encourage users to make their passwords as long as they like and to include any characters that help with memorization, including spaces. The user interface should support these long passwords. 

It’s also crucial not to impose unnecessary rules, such as requiring a mix of character types. Also, password resets should only be required when there is a breach or a user request, not just on a regular schedule.

The goal is to provide recommendations on various aspects of password management, including creation, authentication, implementation, storage, and regular updates.

Here are the 11 rules of NIST Password guidelines are as follows:

1. Use a password manager

Boosting your password strength is easier than you think. According to NIST SP 800-63-3 guidelines, one effective way is by using a password manager. It’s a tool that effortlessly encrypts your passwords and conjures up robust ones.

Ideally, systems should let you paste passwords when logging in. This makes life way easier, especially if you’re using a password manager or have a super long password saved elsewhere.

Research shows that when people use password managers, they’re more likely to create stronger, more secure passwords—especially if you have a built-in password generator to create unique ones for every account.

Here, reducing human error is key. Password managers automatically whip up NIST SP 800-63-3 guidelines for password length and potent passwords or passphrases, sparing you the headache of crafting them manually.

Studies have also revealed that user behavior plays a significant role in password security. Many folks recycle weak passwords rather than fashion new ones that adhere to security guidelines.

This practice opens up multiple vulnerabilities, especially when the same strong password is used across various platforms.

The solution? Equip your team with a password manager like the 1 password tool and give them the know-how.

2. Password length is always greater than complexity

Any system that manages passwords must require passwords to be at least 8 characters long. This is the absolute minimum to make your account harder to crack.

While 8 characters are the bare minimum, systems should ideally encourage passwords to be at least 15 characters long. Why? Longer passwords are way more secure because they’re harder to guess or break with brute-force attacks.

Insisting on complexity, like throwing in special characters or uppercase letters, can sometimes backfire. People take shortcuts, like capitalizing the first letter or adding a predictable “1” or “!” to the end.

While this adds some difficulty, experienced password-crackers anticipate this rookie moves with easy phishing attacks. That’s why the NIST SP 800-63-3 guidelines demand a minimum of 8 characters for standard passwords as a part of the risk management process or privacy risk assessment. Don’t use the same single character or consecutive characters for all your passwords.

3. Choose the “Show Password While Typing” option

Making typos while entering passwords is as common as a cup of morning coffee. When those characters instantly turn into those mysterious dots, it’s easy to lose track of where you went wrong.

This can be frustrating and push you to pick shorter, simpler passwords, especially on websites that limit login attempts and make it easy for unauthorized access.

If you can toggle the option to show your password recommendations as you type from your password lists or passwords against lists. You’ll be much more confident entering those long, complex common passwords correctly on the first attempt, making your online life much smoother with distinct authentication factors.

4. Breached password protection

According to NIST SP 800-63-3 guidelines, every time you create a new password with some password recommendations, it gets a thorough check against a “blacklist.” This list includes no-nos like common dictionary words or simple passwords, repetitive or easily guessable strings, passwords compromised in previous security breaches, and even sneaky variations on the site’s name.

Basically, it looks out for all the tricks cybercriminals might try.

What’s on this blocklist?

  • Passwords from previous data breaches (think: “123456” or “password”).
  • Dictionary words (like “apple” or “sunshine”).
  • Words specific to the account you’re setting up, such as the service name, your username, or slightly altered versions of them (e.g., “Ryan123” for a username Ryan).

If your password shows up on this blocklist, the system won’t accept it. You’ll need to pick a different one, and the system will explain why it was rejected.

This process helps protect you from brute-force attacks, where hackers try a bunch of common passwords to break into accounts. The blocklist makes it way harder for them to guess your password.

Also, systems are designed to limit how many guesses an attacker can try before being blocked, so the blocklist is a key layer of defense.

5. Keep your password safe with salting and hashing

To keep your secrets safe and sound, NIST SP 800-63-3 guidelines lay down some essential rules. First, when someone creates a lengthy p