>>107090806
>No More Frequent Password Changes:
NIST now advises against mandatory periodic password changes unless there is evidence of a breach or suspicion of compromise. The rationale is that forcing users to change their passwords too frequently often leads to weaker passwords being created
>Longer, Stronger Passwords:
NIST now encourages the use of longer passwords—suggesting that they should be at least 12-16 characters long for most scenarios. This is because longer passwords exponentially increase the difficulty of a brute-force attack, making them far more secure than shorter, simpler passwords.
NIST also recommends using a passphrase (a combination of random words or a memorable sentence) instead of complex but hard-to-remember character strings, which can improve both security and usability.
>Complexity Requirements Relaxed:
There’s a move away from enforcing overly strict password complexity rules (like requiring uppercase letters, numbers, and special characters). Instead, the focus is on length and entropy (the randomness or unpredictability of a password). Users are still encouraged to avoid obvious patterns (e.g., "password123") but are not forced into creating overly complex, hard-to-remember passwords.
>Use of Multi-Factor Authentication (MFA):
NIST strongly encourages the use of multi-factor authentication (MFA) wherever possible. Even with strong passwords, MFA adds an additional layer of security, significantly reducing the risk of unauthorized access.
>Password Blacklists:
Passwords that are known to be weak or commonly used (e.g., "123456", "password", "qwerty") are now explicitly discouraged. Systems are encouraged to use password blacklists to prevent users from choosing weak passwords, further increasing security.
>Password Managers:
Because it can be difficult to remember long and complex passwords, NIST encourages the use of password managers to help store and generate secure passwords.
