NIST Update: Passphrases In, Complex Passwords Out


NIST released new standards for password security in June in their final version of the SP 600-83 docs. Federal agencies and contractors use NIST’s standards as guidelines on how to secure digital identities.

In 2003, NIST manager Bill Burr made up the now-infamous “best practices” for passwords, including complexity with regard to special characters, capitalization, numerals, and so on. He recently admitted he regretted doing so to The Wall Street Journal - as his suggestions only increased user frustration while having little effect on security. The new NIST guidelines recommend using long passphrases instead of complex passwords.

Check out our latest blog by Thu Pham for many more new recommendations from NIST on password best practices.


These adjustments are a long time coming and everyone I speak to is excited to get these into practise. Has anyone put thought to how to address these enhancement whilst we wait for regulations/contracts that are more prescriptive (e.g. hard coded with 8 character, 1 special, 1 numeral, 1 upper, etc). It would be easier if references had been made to being compliant to the guideline/standard itself but in many cases the details are what is documented.