Ditch the Complex Password?

June 20, 2019

Studies show that poor password security instead of password complexity is often a major cybersecurity weakness for most organizations and employees that leads to criminals accessing non-public personal information. The latest password guidelines issued by National Institute of Standards and Technology (NIST) recommend significant changes to the way companies and people approach the complexity and usage of passwords.

Among the changes, NIST recommends the removal of periodic password change requirements, dropping the algorithmic complexity that often resulted in passwords that are easily cracked with password cracking tools, and the use of long passphrases instead of developing complex passwords.

Make Passwords Easy to Remember, Hard to Guess

In what may seem like a 180-degree turn, NIST moved away from what’s been promoted for more than decade, recommending long passphrases in lieu of complex passwords. These new security guidelines are more focused on creating unique passphrases that users will remember easily, using whatever characters they want, instead of using convoluted and complex passwords that make no sense to the user.

Special Characters Not So Special

NIST still recommends using special characters, but the organization no longer requires their use when it comes to memorized secrets. Although the use of any special characters is recommended, the NIST password guidelines no longer require their use when it comes to memorized secrets. Concerning the use of characters in general, the password guidelines in SP 800-63B 5.1.1.2 stipulate:

“All printing ASCII [RFC 20] characters as well as the space character SHOULD be acceptable in memorized secrets. Unicode [ISO/ISC 10646] characters SHOULD be accepted as well. To make allowances for likely mistyping, verifiers MAY replace multiple consecutive space characters with a single space character prior to verification, provided that the result is at least 8 characters in length. Truncation of the secret SHALL NOT be performed. For purposes of the above length requirements, each Unicode code point SHALL be counted as a single character.”

More Is More

The NIST password guidelines update requires users to create passwords that consist of a minimum of eight characters. However, it also allows the password form fields to include the use of up to 64 characters. This change was made to help support the use of passphrases. According to the Verizon 2018 Data Breach Investigations Report, length and complexity of passwords are not sufficient on their own. “No matter who administers your technology environment (whether in-house or outsourced) they should be required to use two-factor authentication,” the report advises. In an upcoming article, we’ll provide tips to easily implement two-factor authentication.

“Users should use long password phrases consisting of three or more words that normally don’t go together but are easily remembered and be at least 15 characters long,” suggested Paul Noga, director of information technology and cybersecurity for Southern Title. “Passwords should be screened against lists of commonly used or compromised passwords. Users should only change their passwords when they suspect there could be a potential compromise.”

Requiring Password Time Periods Has Expired

The new password guidelines no longer require users to create new passwords after a certain period. Studies have shown the requirement of frequent changes to be counterproductive to good password security. Instead, it specifies that new passwords are mandated only in the event of a password breach. According to NIST, “Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.”

Copy and Paste Functionality

Another change in the NIST password guidelines is the enablement of being able to use a “paste” feature in the password field. NIST says this facilitates the use of password managers, which increase the likelihood that users will choose stronger memorized secrets.


Contact ALTA at 202-296-3671 or communications@alta.org.

130810