2024 NIST Password Guidelines: Enhancing Security Practices
Security Boulevard, Monday, September 23rd, 2024
The NIST password guidelines have come a long way, adapting to the forever changing cybersecurity space and, just as importantly, to how people actually behave.
When NIST first introduced its password recommendations back in 2017 (under NIST Special Publication 800-63B), the focus was all about security through complexity. You know the drill-passwords filled with uppercase letters, lowercase letters, numbers, and special characters. The idea was that more complexity equals more security.
But soon after, it became clear that all this complexity wasn't really doing the trick. Instead, it led to users getting creative in all the wrong ways-writing passwords down, reusing them, or making them super predictable (looking at you, 'Password123!'). Recognizing this, NIST started to shift its focus in later updates. Rather than pushing complexity, the guidelines began to emphasize password length. Why? Because longer passwords are way harder to crack with brute-force attacks, and they're usually easier to remember than convoluted combinations.