The National Institute of Standards and Technology (NIST) issued an update to its password guidelines in June 2017 titled Digital Identity Guidelines (SP 800-63-3). Many of the guidelines that previously existed in the industry as best practice with credentials have been replaced with simpler, more user-friendly approaches.
Examples of new guidelines in the Digital Identity Guidelines (SP 800-63-3):
- Length of passwords between 8 – 64 characters are recommended.
- Character types of nonstandard characters, such as emoticons, are allowed when possible.
- Long passphrases are encouraged and should not match entries in the prohibited password dictionary
- Password reset frequency should be primarily triggered on if the password is compromised or forgotten
- Multifactor Authentication is encouraged in all but the least sensitive applications
Related Links and Additional Reading: