The National Institute of Standards and Technology – also known as NIST – recently released updated guidelines regarding best password management practices.
The new recommendation? Longer passwords are more important than complex ones when it comes to creating strong passwords.
These guidelines are part of NIST’s second public draft of SP 800-63-4, which is the latest version of its Digital Identity Guidelines, released in September 2024.
Let’s look at why NIST updated their password recommendations and what this means for you and your business as you look to create the strongest credentials possible to secure your data.
Length vs. complexity
Back in 2017, NIST’s first password recommendations were released, which cited complexity (a mix of upper and lowercase letters, numbers, and special characters) as the primary factor in determining password strength.
Fast forward to 2024 and, “password length is a primary factor in characterizing password strength.”
Why the change? This shift can be attributed to two factors: 1) human behavior and 2) entropy.
Human behavior
We know that people say one thing and do another when it comes to passwords – 89% know that using the same password is a risk, yet 62% do just that.
It’s no wonder then that users will often choose the path of least resistance when tasked with creating a complex password to protect their accounts.
A complex password is typically defined as one that includes an uppercase letter, number, and special character.
Without a password manager, most people will choose a password that meets the minimum requirements – for example, “October1!”.
This predictable pattern (though satisfying the complexity rules) can be brute forced quickly – leaving your accounts vulnerable to the whims of a bad actor.
Password entropy
Entropy is a measure of unpredictability. This concept is particularly important when it comes to password length. The longer the password is, the more difficult it is to crack as there are more permutations. This translates to higher password entropy.
Measured in bits, the higher the password entropy score, the stronger the password.
NIST also recommends only changing passwords after a breach has occurred. Frequent resets can result in weaker passwords as users will – as we’ve seen above – default to the bare minimum when it comes to complexity.
In short – a longer password (a minimum of eight characters) is a stronger one, while complexity can lead to a weaker password.
How LastPass can help
A password manager, like LastPass can take the guesswork out of creating NIST-recommended passwords by generating them for you. It stores these passwords in an encrypted vault, eliminating the need to remember multiple (lengthy) passwords.
Additionally, one of LastPass’s 130 policies includes Length of Site Passwords, allowing Admins to set a specific password length for any domain.
Let LastPass manage your passwords, so you don’t have to: Start your free trial today.