Alteration in Password Regulations and Potential Gains
The National Institute of Standards and Technology (NIST) has recently updated its digital identity guidelines, shifting the focus towards longer, more memorable passphrases and multi-factor authentication (MFA) for enhanced security and user experience.
In the latest NIST Special Publication 800-63B, the organisation recommends passwords with a minimum length of eight characters, and passphrases of up to 64 characters. The emphasis is on length rather than complexity, as complex password rules often lead to predictable substitutions and patterns that weaken security.
NIST advises against enforcing character complexity rules such as mandating numbers, special characters, or mixed case. Instead, the use of long, passphrase-style passwords made of multiple words is encouraged for better memorability and security.
The updated guidelines also recommend checking entered passwords against databases of known compromised or commonly used passwords, and avoiding password hints and arbitrary expiration. Passwords should not be similar to user-identifying information, and MFA is strongly recommended for added security.
Charlotte Wylie, deputy CSO at Okta, suggests that passwords are outdated and cumbersome, and weak passwords are easy to guess, leading to identity-based attacks. Punit Minocha, EVP business and corporate development with Zscaler, agrees, stating that focusing on identity governance solutions and moving away from traditional authentication models prevents downtime, reduces the risk of unauthorized access, and builds better collaboration.
Many companies are already adopting these practices, requiring multifactor authentication or biometric systems for added protection of credentials. With zero trust architectures, and solutions like single sign on and identity access management, the importance of the password decreases.
The agency no longer recommends users change passwords four or six times a year. Instead, a new password is in order if the previous one was compromised. Through continuous contextual authentication authorization, security teams can catch questionable access and possible credential theft in real time.
These changes aim to improve digital identity guidelines, making passwords longer, easier to remember, and more secure. By focusing on identity governance and continuous contextual authentication authorization, companies can ensure the right people have the right access at the right time, enhancing overall security and productivity.
- The shift towards longer, more memorable passphrases and multi-factor authentication (MFA) in digital identity guidelines, as proposed by NIST, aims to enhance both security and user experience.
- In its latest update, NIST advises against character complexity rules, instead recommending the use of long, passphrase-style passwords for better memorability and security.
- A zero trust architecture, coupled with solutions like single sign on and identity access management, reduces the importance of traditional passwords for credential protection in companies.
- With continuous contextual authentication authorization, security teams can detect questionable access and potential credential theft in real time, making passwords less frequently needed for updates in accordance with the NIST guidelines.
