Rethinking Password Security: Key Takeaways from NIST’s 2024 Guidelines

As we approach Authenticate 2024, the FIDO conference set for October, Microsoft Entra is already making significant announcements. In an October 9th blog post, Jarred Boone from the Microsoft Entra ID team outlined the sessions for the event, stating, “In this session, I’ll discuss our new capabilities for synced passkeys protected by Windows Hello, and I’ll walk through a plugin model for third-party passkey providers to integrate with our Windows experience.”

While Microsoft continues to innovate with cloud-based passwordless technologies, solutions, and experiences, passwords for on-premises identity systems are here to stay. There’s no clear path to fully eliminate them yet. During my keynote panel, “Navigating the Future of Identity Services,” at this year’s TEC (The Experts Conference) in Dallas, Texas, I asked the audience, “Are you on the passwordless journey?” The overwhelming response from the TEC community in that room was a resounding yes.

If passwords are a necessary evil for the time being and, despite their importance, are not phishing-resistant, how should we manage them more effectively as both individuals and organizations?

Fortunately, the National Institute of Standards and Technology (NIST) has recently updated its SP 800-63 Digital Identity Guidelines with new password best practices for both individuals and authentication verifiers. These updates help ensure secure authentication and access to our digital resources.

Life is too short and who wants to read this stuff?! To save you from sifting through the actual specifications — which can be a bit tedious — I’ve created an infographic that distills the key takeaways for both users and the organizations who build and govern these systems.

Here’s a breakdown of the most important changes:

• Length Over Complexity: Forget the old advice of mixing special characters, numbers, and uppercase letters. Instead, NIST advocates for passwords that are at least 15 characters long. Longer passwords are more secure, easier to remember, and don’t require unnecessary complexity. This shift acknowledges that password length plays a more significant role in strength than complexity.

• Password Managers are Essential: Organizations should allow, and users should rely on, password managers to securely store and generate unique passwords. These tools make managing long, complex passwords easier and enhance security through encryption and password uniqueness. Including password managers in cybersecurity strategies is crucial for organizations.

This marks a significant shift for many people who have been using personal computers and recording passwords in notebooks for decades. Breaking this habit can be difficult, and there are understandable reasons why some might prefer to keep things as they are. However, given the rise in identity theft and compromised accounts, it is essential to educate everyone on the importance of adopting a trustworthy password manager.

There are many options available; according to cloudwards.net and comparitech.com, here are some of the best.

A final note on password managers: Microsoft recently announced, "Microsoft is partnering closely with 1Password, Bitwarden, and others to integrate this capability, providing users with seamless third-party passkey provider integration into Windows 11." This means that in the future, these password managers—and others—will offer an improved user experience, allowing for a single identity or password to manage many, if not all, of your accounts.

• No More Forced Regular Changes: Mandatory password resets are now discouraged unless there is evidence of a breach. Frequent password changes often lead to weaker, more predictable choices. NIST encourages allowing users to keep strong passwords for longer periods if they are secure.

Now remember, if your password isn’t of sufficient length, then it needs to be updated before it is safe enough not to change it on the regular. So, for all the users, update those weak old passwords. There are tools to help everyday users of all skill levels. Keep reading to find out more.

• Blocklist Checks for Common Passwords: Organizations should cross-check passwords against blocklists of commonly used or compromised passwords to significantly reduce the risk of weak or reused passwords being exploited across systems. Don’t despair, users can protect themselves also. Many password managers, such as LastPass and Dashlane, offer features that alert users if their password is weak or appears on a list of commonly compromised passwords.

Services like Have I Been Pwned allow users to check whether their password has been exposed in a data breach by cross-referencing it with extensive lists of compromised passwords. Additionally, browsers like Chrome and Firefox include built-in password managers that notify users if the password they are using is weak or has been found in previous breaches. However, use those with caution. These have been known to be compromised, have weaker encryption methods and are often prohibited in many organizations. Here are an article from AllThingsSecured.com to help you get caught up on this topic and one from Dashlane that summarizes it nicely.

• Make Password Resets User-Friendly: Service providers and developers must avoid building experiences that ask security questions, which are often vulnerable to compromise through social engineering. Instead, design secure and straightforward password reset processes that don’t frustrate users or compromise security.

• Embrace Flexibility in Password Creation: NIST encourages the use of ASCII, Unicode, and even spaces in passwords, allowing users to create passphrases. Passphrases are more secure and easier to remember, aligning with how humans naturally create passwords. Seems we have come full circle; I recall when passphrases were phased out as being less secure. Will one day we be switching back to a complex and unique password for everything? I hope not.

By following these updated guidelines, both users and organizations can ensure they are better protected in today’s digital landscape. While passwords remain an essential security measure, it’s important to recognize their limitations, especially in phishing scenarios. Combining these best practices with multi-factor authentication (MFA) and other security protocols such as training and awareness campaigns is key to staying secure in an ever-evolving digital world.

If you are interested in knowing more about password policy, I recommend you check out Paul Robichaux’s article on Practical365.com, Practical Protection: Updating Your Password Policies.

You may download the interactive PDF version of the infographic below.