Is the complex password dead?
Posted by Kevin Hood, CISA, IT Consultant, Credit Union Resources, Inc on 7/31/2017

Users may be rejoicing after the release of NIST’s new password guidelines!  The National Institute of Standards and Technology (NIST), a division of the U.S. Department of Commerce, provides guidance that sets standards for recommended security controls for information systems at federal agencies.  While required by federal agencies, many other industries adopt and use these guidelines as a strong cybersecurity framework.  In their recent Special Publication 800-63B “Digital Identity Guidelines,” NIST is taking a more “human-element” approach and shifting the burden to the verifier.  Here are a few key elements of the new guidance:

  • No more complex passwords!  For years, the recommended standard is to have very complex passwords - using a mixture of uppercase, lowercase, numbers, and special characters.  Many times, these requirements can lead to weaker passwords, with users simply changing a number at the end of the password.  With the new guidelines, NIST is recommending the longer passphrase approach.  NIST is recommending the allowance of passwords as long as 64 characters (or more), including punctuation, spaces, and even emojis!
  • No more changing your passwords every 30 days!  Users will really love this one.  Frequent password changes have been shown to actually cause users to choose weaker passwords, again only changing one character.  The guidance states that you should only require users to change their password if they are forgotten or suspected of compromise.
  • Passwords should be checked against a list of commonly-used, expected or compromised passwords.  If the chosen password is found in the list, the user should be notified and required to choose a different password. For example, the list may include, but is not limited to:
    • Passwords obtained from previous breaches.
    • Dictionary words.
    • Repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’).
    • Context-specific words, such as the name of the service, the username, and derivatives thereof.

There are many other guidelines released in the special publication, such as encryption recommendations for password storage and the phasing out of text messaging as a form of two-factor authentication.  Convenience and security have long been said to be mutually exclusive; however, with this new guidance, it looks as though NIST is trying to bridge that gap.

Credit Union Resources has Technology Consulting & Compliance Services available for credit unions of all sizes.  For additional information, please contact Deana Brown ( or Idrees Rafiq (

Categories: Technology Consulting & Compliance
Post a Comment
Email: (Email will not be published.)
Subscribe to the Blog

Categories & Archives
Category Filter

Author Filter




Connect: FacebookTwitter©  Credit Union Resources, Inc. All rights reserved.


Contact Us
6801 Parkwood Blvd.
Suite 300
Plano, Texas 75024
Phone: (469) 385-6400
Toll Free: (800) 442-5762
Online Form