"NIST Scraps Passwords Complexity and Mandatory Changes in New Guidelines"
According to new guidelines published by the National Institute of Standards and Technology (NIST), using a mixture of character types in your passwords and regularly changing passwords are officially no longer best password management practices. NIST’s latest version of its Password Guidelines suggests credential service providers (CSPs) stop recommending passwords using several character types and to stop mandating periodic password changes unless the authenticator has been compromised. Additionally, NIST required CSPs not to use knowledge-based authentication (KBA) or security questions when choosing passwords. The latest guidelines still require passwords to be at least eight characters. Other notable recommendations include passwords should be of a minimum of 15 characters, CSPs should allow passwords of a maximum of at least 64 characters, and CSPs should allow ASCII and Unicode characters to be included in passwords. The new guidelines were published in September 2024 as part of NIST’s second public draft of SP 800-63-4.