The National Institute for Standards and Technology (NIST) is a standard setter for computer password policies. The NIST has issued a new guidance that changes long standing password practices.
According to the new guidance, a user’s password should contain a minimum of 8 characters and a maximum length of 64 characters. Permissible characters can encompass the typical numbers, letters, and punctuation, with the addition of spaces, emoji and non- English characters. Additionally, the user will no longer be expected to utilize a mixture of specified character types (e.g. a symbol or a capital letter). Prospective passwords should be compared to an updated listing of known common, compromised, and expected passwords and the number of failed authentication attempts should be limited.
NIST also proposes the elimination of arbitrary password expirations (e.g. the password expires every 90 days and a new one must be created) as well as the dismissal of knowledge-based authentication (e.g. security questions or hints). Instead, the user’s unique password or passphrase would remain constant until either evidence of compromise exists or the user requests a change. To further assist the user, NIST recommends the system offer an option to display the individual characters as they are entered or even temporarily display the entire password, if the user operates in a secured environment. Doing so will aid in remembering lengthier or more complicated passwords and password phrases.
Maher Duessel recommends that clients unable to accommodate additional keyboard characters, like emoji, continue to require passwords that contain a mixture of characters (symbols, capital letters). In addition, passwords should be changed if there is evidence of compromise or at least one time per year.
For additional information see NIST’s Special Publication 800-63-3.