In September 2024, the National Institute of Standards and Technology (NIST) released updated guidance on password practices as part of the second public draft of its Digital Identity Guidelines (SP 800-63-4). Rather than focusing on complexity, the new guidelines emphasize usability, password length, and Password Blocklists, aiming to balance improved security and user-friendly practices. Below, we explore the core elements of NIST's updates.
These updates provide a modest enhancement in password security, but they only address a small part of the broader challenges with passwords. As organizations adapt to these changes, they should explore implementing modern multi-factor authentication (MFA) and passkeys.
Key Changes in NIST's Updated Password Guidelines.
Focus on Password Length Over Complexity.
Historically, security policies demanded passwords that mixed uppercase and lowercase letters, numbers, and special characters. However, NIST's updated guidance refocuses on password length as the most critical factor.
"Humans have a limited ability to memorize complex, arbitrary secrets, so they often choose passwords that can be easily guessed." - NIST SP 800-63B.
Studies show that longer passwords are much harder to crack and, more importantly, easier for users to remember. For example, a passphrase like "SeedsInTheBreezeFlowersByTrees" provides greater security than a short, complex password like "P@ssw0rd!".
"Password length is a primary factor in characterizing password strength. Passwords that are too short yield to brute-force attacks and dictionary attacks." - NIST SP 800-63B.
The 2024 NIST update requires Verifiers and CSPs to allow passwords of up to 64 characters and a minimum length of 15 characters, with support for ASCII and Unicode characters.
Remove Mandatory Password Resets.
Gone are the days of requiring password changes every 60 or 90 days. NIST's research shows that frequent password resets lead to weaker passwords as users tend to make minor alterations to existing passwords or resort to writing them down. The 2024 update recommends only requiring password resets after a confirmed credential breach, thereby minimizing user fatigue and reducing the likelihood of insecure password practices.
Implement Password Blocklists.
Another significant change is the introduction of password blocklists. This practice ensures that users cannot choose weak or commonly used passwords, especially those that have been compromised in previous data breaches.
Though these updates provide a small enhancement for password security and user experience, they are only a small fix for the ongoing issue with passwords. Integrating Authsignal into your identity stack has made deploying modern and adaptive multi-factor authentication (MFA) and passkeys easier and faster. Thousands of organizations, including Google, Apple, Microsoft, and PayPal, now rely on passkeys for a more seamless and secure user experience.
For a deeper dive into NIST's guidance on syncable passkeys, check out Authsignal's two-part blog series:
- Part 1: NIST Supplementary Guidelines for Passkeys - April 2024
- Part 2: NIST Supplementary Guidelines for Passkeys - Implementation Considerations
For the fastest way to implement adaptive MFA and passkeys to secure your entire authentication workflow (chain), learn more about integrating Authsignal with Auth0, AWS Cognito, Azure AD B2C, Duende IdentityServer, and more.
