Knowledge base

October 05, 2024

The 10 Commandments of NIST Password Security (2024 Update)

The National Institute of Standards and Technology (NIST) has released new guidelines for password security, and they sound almost like holy writings!
Here are the “10 Commandments” of password authentication according to NIST:

1. Thou Shalt Choose a Password or Assign One Randomly 🔑.

  • Passwords may be chosen by the user, or randomly assigned by a system (CSP).

2. Thou Shalt Not Choose From a Blocked List 🚫

  • If your password is on a blocking list (such as commonly used or hacked passwords), you should choose another one.

3. Thou Shalt Not Impose Additional Complexity Requirements ❌.

  • There are no more mandatory rules such as numbers or special characters.
    Simple and effective!

4. Thou Shalt Ask Passwords Of At Least 8 Characters 🔢

  • Mandatory minimum of 8 characters, but ideally passwords should be at least 15 characters long.

5. Thou Shalt Allow All ASCII & Unicode Characters 🖥️

  • All printable ASCII characters (including spaces) and Unicode symbols may be used in passwords.

6. Thou Shalt Not Request Regular Password Changes 🔄

  • No more periodic password changes unless there is evidence of a security compromise.

7. Thou Shalt Not Use Password Hints or Security Questions ❓

  • No password hints and no knowledge-based authentication questions (“What was the name of your first pet?”).

8. Thou Shalt Check a Block List For Password Changes 📜

  • Passwords should be checked against a blocking list to avoid commonly used or known passwords.

9. Thou Shalt Encourage the Use of Password Managers 💼

  • Password managers are encouraged, including features such as “paste” to enter passwords easily.

10. Thou Shalt Use Strong Encryption And Secure Channels 🛡️

  • Passwords should be encrypted and hashed with strong cryptographic methods to prevent offline attacks.

💡 Why are these new rules important?

  • These guidelines reduce the burden on users by removing unnecessary complexity while improving security by making brute-force attacks more difficult.

🔐 Conclusion: NIST makes it clear: simpler passwords don’t have to be insecure!
Use password managers and long passwords, and you’ll be ready for the future of online security.
For more info, check out Password Verifiers Authenticators (nist.gov)

Want to know more?

Get in touch
NIST wachtwoordbeveiliging 2024 update