The National Institute of Standards and Technology (NIST) is a US government agency that also publishes cybersecurity recommendations. It has released new version of its Digital Identity Guidelines, and you can find a good summary here.
The new Guidelines address several passwords issues with new recommendations. The overall goal is to make passwords more secure.
Let's take a look at how the new recommendations make sense from a product perspective.
New Password Recommendations
First of all, I quote the new rules from the Ars Technica article:
Sensible password rules:
Verifiers and CSPs SHALL require passwords to be a minimum of eight characters in length and SHOULD require passwords to be a minimum of 15 characters in length.
Verifiers and CSPs SHOULD permit a maximum password length of at least 64 characters.
Verifiers and CSPs SHOULD accept all printing ASCII characters and the space character in passwords.
Verifiers and CSPs SHOULD accept Unicode characters in passwords. Each Unicode code point SHALL be counted as a single character when evaluating password length.
Verifiers and CSPs SHALL NOT impose other composition rules (e.g., requiring mixtures of different character types) for passwords.
Verifiers and CSPs SHALL NOT require users to change passwords periodically. However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
Verifiers and CwSPs SHALL NOT permit the subscriber to store a hint that is accessible to an unauthenticated claimant.
Verifiers and CSPs SHALL NOT prompt subscribers to use knowledge-based authentication (KBA) (e.g., “What was the name of your first pet?”) or security questions when choosing passwords.
Verifiers SHALL verify the entire submitted password (i.e., not truncate it).
The Value in the Recommendations
Now let's see if there is value in the rules, especially value beyond increased security.
A product can have value in several dimensions. I find the following dimensions particularly helpful when it comes to passwords:
Simplifies
Saves time
Organizes
Reduces risk
Avoids hassles
Keep in mind that the best solution for keeping track of all your passwords is a password manager. It allows you to generate passwords of any length and complexity and store them using a single, secure master password. There is no need to remember all your passwords.
Now for the values:
Simplifies
With a password manager, you never have to see or remember a password. This is not explicitly recommended because of a different audience for the recommendations, but it is one of the most simplifying things you can do with passwords.
Not using a mixture of character types also makes a password truly random. If you generate a random password of 60 characters and it happens not to contain a number, it is still a random password.
Saves time
With a password manager, you never have to see or remember a password. Passwords can be complex, long, with or without Unicode characters, but entering the password will always be the same.
Organizes
A password manager can store as many passwords as you want, even if you have hundreds or thousands of accounts, and still make it easy to find the right one.
Personal tip: If you are still forced to answer a security question because a service does not comply with NIST rules, just generate another long random password and store it in your password manager. This will prevent someone from easily phishing it out of you.
Reduces risk
If you use a password manager and autofill or copy and paste, you do not have to keep your password short. You can make your password 20, 40, or 100 characters long. There is no extra effort, just extra security.
You also need do not need to worry about credential stuffing because each password is unique.
You can even include letters that are not on your standard keyboard! Think about ü, ß, ñ, م , ي , ה, ל, ε, α, 家 - passwords containing such letters are incredibly secure because usually different character sets from different languages are not mixed.
The required minimum length of 8 characters seems much too low in this day and age. Even the suggested minimum length of 15 characters is really a minimum.
Avoid hassles
If you use a strong enough password, it is unlikely to appear in a rainbow table and be cracked. Therefore, there is no need to change the password regularly, and the NIST guidelines even recommend never asking for it, unless there is a known breach. You will not choose an easy-to-guess password because you will have to change and remember it every quarter.
The Bottom Line
Using a password manager makes it easy to follow new security guidelines and adds real value to your life. Use it for better online security!
What I read
As usual, I will list some of the best articles I read on the Internet. I will keep a list of the best articles (currently >800) at https://www.digital-product-management.com. These are today’s picks:
Sabotage against innovation: How Saboteurs Threaten Innovation and What to Do About It.
Three-Minute Rule: During Discovery, ask what customers are doing three minutes before and after using your product.
Make Product give a sh*t about your architecture proposal: Communicating value of different solutions.