Published by Allen Lepke, Security Engineer | August 8, 2018

Don’t we all love the topic of passwords? I know the topic is cringe worthy, but fear not, help has come via a government agency called NIST (National Institute of Standards and Technology). The previous recommendations had requirements like irregular capitalization, special characters, and at least one numeral, which might give you a password that resembles P@ssW0rd123!. Then to top it all off, we were supposed to change the passwords at least every 90 days. The creator of the password rules, Bill Burr (now retired from NIST), admits that his advice was misguided. In June of 2017, NIST updated the rules with a new Special Publication 800-63-3 Digital Authentication Guidelines.


First, the new recommendations favor the user. Make your password policies user friendly and put the burden on the verifier when possible. Second, size matters for passwords. NIST’s new guidelines say you should use a minimum of 8 characters and to allow a maximum length of at least 64 characters. Applications must allow all printable SSCII characters, including spaces, and should also accept all UNICODE characters, which includes emoji’s. Use passphrases. This will inherently increase the size of your password as well as allow punctuation. If you put spaces in your passphrase, spaces count as a symbol. If we allow all of the above, then we can start to relax our need to change our passwords every 90 days. You could potentially get away with 180 days... or possibly longer!

Credit: N. Hanacek/NIST


For those of you that implement the password policy, there are other recommendations.
NIST provides further guidance on securely storing passwords, requiring them to be salted and hashed using a one-way key derivation function. The salt should be at least 32 bits and chosen arbitrarily. Plus, NIST recommends using an additional hash with a salt stored separately from the hashed password to prevent brute-force attacks.