National Institute of Standards offers tips for new password guidelines |

National Institute of Standards offers tips for new password guidelines

Special to the NNBW

In June the NIST document (800-63-3) went through a re-write. The new guidelines drop the password expiration advice, as well as the suggestion to use special characters that did little for security and negatively impacted usability.

The new guidance suggests long, easy to remember phrases over crazy characters and suggests you should change your password only if there is a sign it may have been
stolen. Experts say using a series of four words can be harder to crack than a shorter hodgepodge of strange characters. Cartoonist Randall Munroe calculated it would take 550 years to crack the password “correct horse battery staple” (all run together as one word) versus a password like “Tr0ub4dor&3” which can be cracked in 3 days.

Humans collectively spend the equivalent of 1300 years each day typing passwords so making them safe yet easy to remember is important. The new NIST guidelines suggest at least an 8 character password, but everyone should allow up to 64 (no more “sorry your password can’t be longer than 16 characters”). They suggest the password field should accept all Unicode characters, including Emoji. They recommend checking passwords against a database of bad choices so that passwords like “changeme” and “Yankees” are eliminated. NIST doesn’t want people to use “password hints” since many users make hints too obvious to hackers. The good news as mentioned above is that they suggest eliminating “composition rules” that are unduly restrictive, along with requirements for complexity such as upper and lower case, and odd characters. NIST also says you don’t have to expire passwords unless there is a reason.

Recommendations for Knowledge-Based Authentication (KBA) are now out. KBA is when a site says, “Pick from a list of questions – Where did you attend high school? Apparently, this doesn’t provide the level of security that everyone thinks it does. Oddly, they also suggest eliminating txt messages as a form of two-factor authentication. Two-factor is where you type a password AND must supply a special code, often delivered to your phone. That advice is based on the possibility of bad guys getting access to the text, but frankly here NIST’s advice may be missing the mark again. SMS txt seems to work well for most
users. NIST sometimes forgets that usability is a big thing and as Voltaire said, “perfect is the enemy of good’’. Which brings up another potential problem with the new password guidelines. That is, users who insist on using easily remembered sayings or quotes. These will be easy to hack using a dictionary attack. For example, “perfectistheenemyofgood” will get added to hacker’s databases along with “password” and other common phrases. It’s better to choose random words for your password.

1900 Vassar Street Reno, Nevada 89502-2109
Telephone 775-322-6455 ▪ Fax 775-322-5397 ▪


Here are our recommendations:

  • Choose random words (at least 4) and string them together i.e.


  • Change your password only if there’s a chance it’s been stolen.
  • Knowledge-Based Authentication is now optional. However, an SMS text seems to work well for users and we recommend keeping those verification questions in place.