The National Institute of Standards and Technology (NIST) has long been an authority figure for best practices on how to secure identities, passwords, and more. Recently, NIST Special Publication 800-63 guidelines for 2019 were released, and many IT admins are interested in learning what they are. The good news is there haven’t been too many changes from when the NIST 800-63 password guidelines were originally published in 2017. Let’s take a look at what NIST suggests.

What You Need to Know About NIST 800-63 Password Guidelines

A Brief Summary

Also referred to as memorized secrets, here is a brief summary of 2019 NIST password guidelines:

  • 8 character minimum when a human sets it
  • 6 character minimum when set by a system/service
  • Support at least 64 characters maximum length
  • All ASCII characters (including space) should be supported
  • Truncation of the secret (password) shall not be performed when processed
  • Check chosen password with known password dictionaries
  • Allow at least 10 password attempts before lockout
  • No complexity requirements
  • No password expiration period
  • No password hints
  • No knowledge-based authentication (e.g. who was your best friend in high school?)
  • No SMS for 2FA (use a one-time password from an app like Google Authenticator)

Many of these new guidelines challenge traditional password security practices. For example, the idea of not requiring password complexity is radically different than what has been conveyed in the past. However, NIST suggests that guidelines like increased complexity and frequent password changes, for example, lead to poor password behavior in the long run. Because people can only remember so much, employees often cope with frequently changed, complex passwords by storing them in an insecure manner (e.g. a sticky note on a computer monitor) and by meeting the requirements in a very predictable way (e.g. Password1!). NIST 800-63 password guidelines work to combat this behavior by essentially proposing the use of one long simple password that should only be changed when it is compromised. You can read more about their reasoning behind their recommendations here.

Who Needs to Comply with NIST 800-63?

While many IT organizations use NIST guidelines to inform their security practices, only federal agencies are required to comply with NIST 800-63. Still, that doesn’t mean you shouldn’t seriously consider NIST’s recommendations and how they could benefit your environment. Just remember that these guidelines haven’t made their way into other compliance regulations yet, so make sure to cross-reference NIST’s suggestions with your current compliance requirements.