Passwords are an essential part of online security measures. The push in recent years was to make passwords more complex with added characters and numbers, and had been lauded first as a crucial, and then became an oft-required layer of security.

Those guidelines were issued by The National Institute of Standards and Technology (NIST) nearly 15 years ago. Then, without much fanfare, the latest draft of the NIST guidelines were released the middle of last year. The National Institute of Standards and Technology (NIST) issued its update in June 2017 entitled “Digital Identity Guidelines (SP 800-63-3)”. Many of the guidelines that had been exalted as best practice in online safety were cast aside in this latest edition in favor of what should be a simpler, more user-friendly approach.

We’ve all become familiar with the complex password policies, some of which include password rotation; employing a combination of letters, characters, and numbers; avoiding re-use of old passwords, and so on. These practices have become so commonplace and ingrained in our processes that going without a carefully constructed password seemed like an invitation for trouble.

Previous Guidelines Actually Helped Cybercriminals

The frequency of major security breaches that continue to occur highlight the weakness of the previous password guidelines, with the important footnote that these are only the ones that have been caught or reported. Like typical crimes, many more incidents are unreported, but in this case, it’s because they go unnoticed by the targeted organization.  

Additionally, certain assumptions were made when the appearance of complexity (the different character requirements) was enforced. Though the system registered a password as strong, it didn’t always mean it was safe. People tend to be predictable in their choice of passwords and mungeing has given another false sense of security; substituting letters for numbers or characters can make the password seem to the average user like a substantial layer of complexity is added. In reality, it’s still easily recognizable or easily decoded, especially by a computer.

Some systems require that passwords be changed a few times a year, which actually made password security worse. Frequent password changes often created weaker passwords and bigger vulnerabilities. Current research also suggests that companies struggle with even the basic level of password security.

With all of the complexities required, it is understandably frustrating for users to remember what their passwords are across multiple accounts. This leads to password reuse, which adds another security risk. A survey of 1,000 Americans revealed that 81% re-use one password across multiple accounts, which can potentially lead to ‘credential stuffing.’ In simple terms, when an account’s credentials are compromised, cybercriminals can obtain them and attempt to use highly-automated script or applications to target other web applications, further compromising other accounts of the user.

How Key Updates in the NIST Guidelines Will Affect Users

The previous password complexity requirements were well intentioned, but even the original author of these guidelines regrets the design of that protocol. Experts say that over time, we’ve been training people to use passwords that are falsely complex; they’re somewhat tricky for a human to crack, but easily decipherable for a computer.

Here are a few of the key takeaways from the new NIST guidelines:

  • Eliminate intermittent password change requirements, unless due to a security breach or by user choice
  • Eliminate the password complexity requirements (special
    characters, upper or lowercase letter, and number requirements).
  • Make mandatory the screening of new passwords against commonly used or compromised passwords.

The last point appears to be one of the more innovative mandates, as this has never been a policy implemented in password design. When creating new passwords, users will be alerted


their password is a match on the susceptible/compromised list. 

Additionally, the new password framework discusses a 64-character allowance, which supports a new approach in users creating passwords, referred to as ‘memorized secrets’. Users will be encouraged to create them using short, random phrases and no other character requirements. Contrary to what has been ingrained in us for over a decade, this actually proves more difficult to crack than the shorter, munged passwords users were forced to create.

What’s Next?

Evaluating your organization’s security strengths and weaknesses should be a regular practice, but thoroughly considering and implementing these new guidelines will take time. Risk Control Strategies can offer consultation and guidance on these new measures, and how it might fit into your organization’s specific security infrastructure.


Risk Control Strategies (RCS) specializes in investigative, security, and business intelligence for legal, corporate, and private sectors. Our team of seasoned professionals are backed by decades with federal and state law enforcement agencies, conferring unparalleled expertise and care with each assignment. Explore our website, or visit our contact page and reach us directly to learn more.