Background

New Password Requirements from NIST

Written by Hornetsecurity / 02.10.2024 /

You are currently viewing a placeholder content from Youtube. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.

More Information

You are currently viewing a placeholder content from Libsyn. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.

More Information

In this episode of the Security Swarm Podcast, host Andy Syrewicze and guest Michael Posey discuss the new password guidelines and recommendations released by NIST (National Institute of Standards and Technology). They cover a range of topics related to password security, including the importance of password length over complexity, the move away from composition rules and periodic password changes, the risks associated with knowledge-based authentication, the concept of password entropy, and more!  

Throughout the conversation, Andy and Michael draw on their extensive experience in the cybersecurity field to offer practical advice and perspectives on the changing landscape of password security.  

Do you want to join the conversation? Join us in our Security Lab LinkedIn Group

Key Takeaways: 

  • NIST recommends a minimum password length of 8 characters, with a suggested length of 15 characters or more.

  • NIST has recommended removal of the requirement for password composition rules, such as the need for special characters, numbers, and uppercase letters. 

  • NIST states that password providers SHALL NOT require periodic password changes unless there is evidence of a breach, as this can lead to users creating predictable password patterns.

  • The use of ASCII and Unicode characters is now encouraged, allowing for more diverse and random password options.

  • Password entropy (randomness) is more important than password complexity, as modern computing power can quickly crack simple but complex-looking passwords.

  • For mission-critical systems, organizations may still choose to implement more rigorous password policies, even if they deviate from the NIST recommendations.

  • The industry is exploring new hashing methods and technologies, such as passkeys, to address the challenges posed by GPU-based brute-force attacks.

Timestamps: 

(07:40) Credential Service Provider (CSP) Requirements and Recommendations  

(10:02) Removing Password Composition Rules  

(14:21) Ending Periodic Password Changes  

(19:48) The Importance of Password Entropy and Length  

(28:30) Phasing Out Knowledge-Based Authentication  

(30:30) The Impact of Password Length on Cracking Time 

Episode Resources: 

NIST Publication 800-63B

To enhance your organization’s security posture, consider implementing Hornetsecurity’s Advanced Threat Protection. This solution provides AI-powered defense against sophisticated attacks, ensuring your emails and data remain secure. By adopting best practices in password management and utilizing advanced security features, you can significantly reduce the risk of breaches. Protect your business today and stay one step ahead of cyber threats. Learn more about Advanced Threat Protection here

You might also be interested in: