National Institute of Standards and Technology1 (NIST) NIST 800-63 was originally released in 2017 but has gone through various iterations and is constantly being revised. As of 2023, NIST has requested comments on their newest revision of 800-63 (Digital Identity Guidelines). And as recently as 2020, NIST revised their password guidelines to emphasize password length over complexity, salting and hashing stored passwords, MFA, and making it easier for users to adhere to password security policies. Additionally, organizations should not require their employees to reset their passwords more than once per year, and they should monitor new passwords on a daily basis, testing them against lists of common and compromised passwords. Finally, NIST has identified a number of threats to authentication security, including password security, that businesses and industry professionals should keep in mind.

1. Reduce the Importance of Password Complexity

New NIST password guidelines say you should focus on length, as opposed to complexity when designing a password. Paradoxically, using complex passwords (adding special characters, uppercase letters, lowercase letters, and numbers) may make it easier for brute force attacks to compromise your passwords, and this mostly has to do with user behavior. Although NIST requires only a minimum of eight characters for passwords, generally the longer a password is, the more difficult it is to crack. I personally set passwords to a minimum length of sixteen characters (in my password manager!), though if you’re looking for a good middle ground, twelve is not bad.

2. Monitor New Passwords Automatically

Some passwords are compromised before they are even created; ensure new passwords are not just strong, long, and complex, but they are not on lists of commonly used, easily compromised passwords — sequential strings like “123456” and common words like “password” aren’t the only commonly compromised passwords.

3. Threats to Authentication

Passwords serve as the front line of authentication and defense for users and organizations, and breached passwords remain one of the most common threats to cybersecurity. By understanding the following threats to authentication identified by NIST, organizations can better define and respond to the risks that apply to them.

4. Eliminate Password Hints

The NIST 800-63B publication prohibits the use of password hints that may help users remember their passwords, as this can give savvy hackers an important clue about that account’s password.

NIST has a few recommendations that aren’t strict requirements, but definitely count as best practices, because they facilitate the user experience and reduce the chance that human error will put you in a position to be easy prey for a cyberattack:

1. Set the maximum password length at 64 characters.
2. Don’t require users to select special characters in their passwords.
3. Allow copy-and-paste functions in your password fields; this allows password managers to work effectively.
4. Allow, ASCII, and Unicode characters in your passwords.
5. Utilize a secure password manager.

The password generator I use https://caseyjmorris.github.io/pronounceablePassword/