New NIST Password Guidelines

The National Institute of Standards and Technology (NIST) issued an update to its password guidelines in June 2017 titled Digital Identity Guidelines (SP 800-63-3). Many of the guidelines that previously existed in the industry as best practice with credentials have been replaced with simpler, more user-friendly approaches.

Examples of new guidelines in the Digital Identity Guidelines (SP 800-63-3):

  • Length of passwords between 8 – 64 characters are recommended.
  • Character types of nonstandard characters, such as emoticons, are allowed when possible.
  • Long passphrases are encouraged and should not match entries in the prohibited password dictionary
  • Password reset frequency should be primarily triggered on if the password is compromised or forgotten
  • Multifactor Authentication is encouraged in all but the least sensitive applications

Related Links and Additional Reading:

  1. NIST’s New Password Rule Book: Updated Guidelines Offer Benefits and Risk