NIST Makes Passwords a Little Bit Easier


After much research, the National Institute of Standards and Technology (NIST) has determined that we have been doing passwords all wrong!

Traditionally, best practice for password use has been a minimum of 6 characters composed of a combination of letters, numbers and symbols, which had to be rotated periodically. To make things more complex, companies typically added rules about how frequently a password could be reused - or prohibited reuse completely.

What NIST's research showed is that all the rules simply pushed more people into predictable password patterns. Patterns like  Jan18!, Feb18!, Mar18!, which satisfies the no reuse rule, the minimum length rule and the content rule. However, it is completely deducible with only a small amount of social engineering or programming.

So, based on this behavior, what did NIST recommend?

  • Minimum length of 8 characters
  • Maximum length of 64 characters
  • Mandatory change based on enforced minimum length
  • Check against dictionary of known bad passwords
  • No composition rules
  • No recovery hints

Now that we know what is to be done on the server or application side, how does the end user make use of the new best practices?

The best solution is to use a password vault with generation capabilities, which gets you down to a single password for access to the vault.  Password vaults are programs that securely store large numbers of passwords protected by a password. For Windows, some of the popular ones are LastPass, Dashlane, KeePassX and Sticky Password. For MacOS, some of the popular ones are 1Password, KeePass, LastPass, and SplashID Safe.

If you are new to password vaults, then your next step is to visit all the websites you use and use the password vault to generate a new password for each one.

Alternatively, picking phrases that strike a chord with you from songs, movies, plays or books make good passwords, but make sure they are as long as you can remember – 20, 30...64 characters, with a minimum of 16 characters.

Once you have password habits that are cyber secure, it is time to secure your whole environment so you can become cyber confident.

If you have concerns about your cyber security and would like to improve your cyber confidence and compliance, please contact us at:

Building a Cyber Confident World


Mike Moran
About the Author

Mike Moran, CISSP – Cyber Security Advisor – A veteran of the software industry focused primarily on applications and development tools, with a secondary focus on high availability, high traffic web sites. A CIO vision with extensive business, software development, and database architecting with cyber security addressed at every level. Guides development and administration ensuring secure and stable software and operating environments. Past projects include architecting and supporting real-time online access to three Olympics and maintaining a healthcare document generation system with over 10 million documents per month.

%d bloggers like this: