New password guidelines are welcome, but why not skip them entirely?

Password Reset Self Service Promo Mobile

The National Institute of Standards and Technology, NIST, recently updated its guidelines for how passwords should look and how often we should update them. Rather than making things even more complex, the new guidelines are somewhat of a relief for anyone with too many passwords to remember.

At the same time, the age of passwords is ending, and scrapping them altogether is a wiser decision. Passwordless is the future, and the future is a lot more secure than remembering a bunch of letters, numbers, and special characters.

The new NIST guidelines

First things first, what are the new NIST guidelines for passwords? The most recent guidelines, SP 800-63-4, contain several password security best practices.

Instead of calling for even more complex passwords, they lighten the load for all of us who are tired of remembering and coming up with new passwords.

The guidelines are mainly aimed at credential service providers, CSPs, but will most likely function as guidelines in many other password-related cases as well. The most prominent news in the guidelines is the following:

A mixture of character types is no longer considered best practice.
Mandatory password changes after a set period, usually 60 or 90 days, are unnecessary. Unless a password has leaked, it is useless to keep changing it.
Passwords should be at least eight characters, but at least 15 characters are recommended.
The maximum length recommended is 64 characters.
ASCII and Unicode characters should be allowed

Less password fatigue

Overall, these guidelines are much easier to follow than the previous recommendation that passwords contain a mix of upper- and lowercase characters, numbers, and special characters.

While that does make for a more complex password, it is usually more complicated for the human who tries to remember it than for a machine guessing it.

This, along with skipping the need to create a new password after a given time, should alleviate some of the password fatigue that many of us are experiencing. In fact, on average, we have about 100 passwords that we have to remember, so anything that makes that process easier is welcome.

But why use a password at all?

No password is better than a password

As you might have heard, passwords are going extinct. We at Pointsharp firmly believe this as well. If passwords cannot be lost, stolen, or leaked, they can not be used to break in.

But what should we use instead of passwords? And how can that be more secure?

Today, there are many alternatives to passwords that use some form of multi-factor authentication, MFA, to prove an identity. Establishing an identity using several factors is an effective way of preventing the most common types of breaches and phishing attempts.

Instead of relying on passwords as one, or the only, authentication factor, you can easily enable modern technologies like FIDO, Passkeys, or security keys (like a YubiKey) that rely on MFA to provide secure authentication without a password.
Depending on your security needs, you could go one step further with certificate-based authentication, using the YubiKey mentioned, a smart card, or similar for secure authentication.

The more secure, passwordless future is one of our solutions within Workforce identity. While you are upgrading your organization’s authentication methods, why not ensure that every application and resource benefits from the same security in a consistent and easy-to-use user experience? Securing your entire workforce while making it more effective is our primary goal at Pointsharp.

So, even if the new password guidelines from NIST are much more human-friendly than before, we know that there are even better alternatives that can increase security and be implemented very quickly.