New Password Guidelines: NIST’s Surprising Recommendations for the Future of Security
In the IT industry, the latest draft of recommendations from the National Institute of Standards and Technology (NIST) has sparked a lot of conversation, particularly around passwords. The proposed changes may surprise you, as they shift away from traditional password complexity requirements.
What’s Changing?
Under the new guidelines, complexity requirements are being removed. This means no more need for upper and lowercase combinations, numbers, or special characters. NIST is also doing away with the maximum password age rule, which required users to change their passwords every 90 days. These changes mark a significant departure from past security practices.
How Will Security Be Maintained?
To uphold security standards, NIST has set new guidelines for password management:
- Minimum Password Length: Passwords must be at least 8 characters long, though 15-64 characters are preferred for added security.
- Compromise-Based Resets: Passwords should only be reset when there is evidence of a breach or compromise.
- Uniqueness and MFA: Passwords must still be unique to prevent credential-stuffing attacks, and multi-factor authentication (MFA) remains crucial in securing many environments.
These changes aim to simplify password policies without compromising security, helping users create memorable yet strong passwords. At Pegasus Technologies, we’re committed to keeping our clients informed on these evolving standards and best practices for cybersecurity.
If you’d like to see tech tips on specific topics or have a cool tip to share, contact Pegasus Technologies and let us know! Your suggestion may even appear in an upcoming newsletter.
