Updated NIST Password Guidelines and How MyPass Supports Your Security Needs

Update to previous port on Password Policy Requirements

Introduction

In a digital world where security is paramount, staying updated with the latest password management practices is crucial. Recently, the National Institute of Standards and Technology (NIST) released new guidelines that significantly shift our understanding of password complexity and management. In this post, we will explore these changes and how MyPass stands ready to support both the old and new standards for Credential Service Providers (CSPs).

The Shift in NIST Guidelines: A Move Away from Complexity

Traditionally, password management has emphasized the importance of using a mixture of character types and frequently changing passwords. However, the latest NIST guidelines, published in September 2024, advocate for a new approach:

• Forget Mandatory Complexity: CSPs are encouraged to stop recommending the use of varied character types and to refrain from mandating regular password changes, unless there is a known compromise of the authenticator.
• Knowledge-Based Authentication is Out: The use of knowledge-based authentication (KBA) or security questions has also been scrapped, promoting more secure and less predictable forms of user authentication.

In short, STOP doing the following:

• Stop requiring arbitrary password complexity, such as requiring special characters or a combination of characters (characters, numbers, special characters)
• Stop allowing users to save or store password hints
• Stop requiring mandatory password resets on set intervals unless evidence of compromise is present
• Stop the use of security questions when choosing passwords
• Do not use truncated passwords (in other words, verify the entire password)

The New Standard: Embrace Longer Passphrases

While the new guidelines require a minimum of eight characters, they recommend that users create passwords that are at least 15 characters long, with a maximum of 64 characters. The key takeaways include:

• Passphrases Over Passwords: Longer passphrases that are easy to remember but hard to guess are now the gold standard for password creation.
• Character Variety Encouraged: Users are encouraged to use ASCII and Unicode characters, giving them the freedom to create memorable yet secure passphrases.

In short, START doing this:

• Set a minimum password length of eight characters, with a suggested length of at least 15 characters
• Permit passwords to extend up to 64 characters
• Allow the inclusion of all printable ASCII characters (as per RFC20) and spaces in passwords
• Support Unicode characters (following ISO/IEC 10646) in passwords, treating each Unicode code point as a single character for length calculations

Supporting the Evolution of Password Standards

At MyPass, we understand the importance of adapting to these evolving standards. Our Self-Service Password Reset (SSPR) product is designed to align with both the previous and newly updated NIST guidelines:

• Flexibility in Password Management: MyPass allows users to create and manage passwords that adhere to the new recommendations, ensuring security while simplifying user experience.
• Support for Credential Service Providers: Whether you’re following the older or the latest NIST standards, MyPass is equipped to handle the requirements of all CSPs, making the transition seamless.

Conclusion

The landscape of password management is changing, and it’s essential to stay informed. With NIST’s latest guidelines, the focus is shifting toward longer passphrases and more robust authentication methods. MyPass is committed to providing solutions that not only comply with these new standards but also empower users to take charge of their digital security.

For more information on how MyPass can support your password management needs, visit www.mypass.co.za.