What are the NIST Password Guideline Standards?
The National Institute of Standards and Technology (NIST) has established comprehensive guidelines for password management. The current Password Guideline Standards were last updated in 2020, with the new guidelines being published in September 2024 as part of the public draft of its Special Publication 800-63 Digital Identity Guidelines. The key updates are all about enhancing security whilst keeping things simple for the end user.
What are the key changes in 2024?
Password length is greater than complexity
Whilst the current standards emphasise the importance of long passwords, the 2024 guidelines expand on this, recommending passwords or passphrases that are a minimum of 12 to 16 characters. This is a significant jump from the current minimum length of 8 characters. Additionally, the complexity requirements have changed from requiring complexity to just focus on length. This is because of common practices like capitalising the first letter or adding a “1” or “!” to the end.
Fewer password changes
The current NIST guidelines recommends that passwords expire every 60 to 90 days. However, with the new 2024 guidelines it recommends that passwords don’t expire and that they should only be changed when there is a risk that an account has been compromised. This is in line with other recommendations such as not enforcing mandatory password changes. This is something that Microsoft recommends.
Use of password hints
Password hints are reminders that help users remember their passwords. This has previously been allowed, but it is now recommended that you prevent password hints. This is because of social media and social engineering; it is much easier for attackers to gain information through password hints.
Password managers
Password managers can be very useful as they automate the generation of strong passwords. Users are encouraged to not reuse passwords across different accounts (including the use of slight variations of a 'base' password) and password manager applications can create unique, strong passwords for users while simultaneously keeping them stored in a single, encrypted location for the users’ ease of access.
Reusing passwords across multiple accounts creates obvious vulnerabilities where having one password for an individual’s account means you may just have the password for all of their accounts!
What are the other key recommendations?
Multi-Factor Authentication
If you are not already using Multi-Factor Authentication (MFA), then this is a must have alongside these recommendations. MFA adds an extra layer of security by requiring multiple forms of verification (e.g., something you know, something you have, and something you are).
Microsoft Entra Identity Protection
Microsoft Entra Identity Protection is a service that collects and analyses user sign in behaviours and categorises the sign-in risk. You can use these risk levels to configure policies to automatically respond to risky situations. This includes prompting the user for a password change. This policy is great for those following the new NIST recommendations around password expiry. To set-up a sign-in or a risky user policy you need to be licensed for Microsoft Entra ID P2.
Need additional support?
OneAdvanced's relationship with Microsoft goes back over 30 years, over which our Modern Workplace experts have helped numerous organisations digitally transform and embrace a better way of working. Get in touch with our team today to see how we can help!