Visionary is updating our password requirements to stay up to date with the new NIST standards. We currently require a minimum of 15 characters for new passphrases. See below for further details to in regard to the NIST updated standards.
NIST just finalized new draft guidelines, substantially revising password security recommendations and upending many of the standards and best practices which security professionals use when forming policies for their companies.
For quick background, The National Institute of Standards and Technology (NIST) is a non-regulatory federal agency within the U.S. Department of Commerce. Its mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.
NIST develops Federal Information Processing Standards (FIPS) which the Secretary of Commerce approves and with which federal agencies must comply. NIST also provides guidance documents and recommendations through its Special Publications (SP) 800-series.
NIST guidelines often become the foundation for best practice recommendations across the security industry and are incorporated into other standards.
NIST is now in the process of finalizing 800-63-3: Digital Identity Guidelines, and it has made some long overdue changes when it comes to recommendations for user password management.
The new framework recommends, among other things:
– Remove periodic password change requirements
This is one that legions of corporate employees forced to create a new password every month will surely be happy about. There have been multiple studies that have shown requiring frequent password changes to actually be counterproductive to good password security, but the industry has doggedly held on to the practice. Hopefully, these new recommendations will change that.
– Drop the algorithmic complexity song and dance
No more arbitrary password complexity requirements needing mixtures of upper-case letters, symbols and numbers. Like frequent password changes, it’s been shown repeatedly that these types of restrictions often result in worse passwords.
The important thing to remember with these new changes is the overall length of the password. It might be easier to remember this change as moving from passwords to passphrases. The best passphrase is composed of 3-5 random words, like a short sentence or a haiku. For example, Correct Horse Battery Staple. These are 4 randomized words that don’t seem to make any sense, but it is strange enough to be easily memorized.
The Electronic Frontier Foundation (EFF) and other parties have devised a simple way for anyone to make a truly random password that thieves and robots wouldn’t be able to guess or crack easily. It’s called the Diceware Wordlist, and the following video summarizes how to use it and its benefits. You can also view the EFF’s word list by clicking here.