The security of our online accounts is evolving. NIST, an American reference organization, has just published new guidelines on passwords. And surprise: what we have been told for years is no longer relevant!
No more puzzles to create a password! THE National Institute of Standards and Technology (NIST) shakes up the rules of the game and explains himself.
For years, we have been told that a good password must contain capital letters, numbers and symbols. But according to new NIST recommendations, this approach has become obsolete. The American organization, a reference in IT security, offers a radically different vision of what makes an effective password.
Length, the new queen of security
First surprise: NIST says that the length of a password is much more important than its complexity. A concrete example? A 12-character password made up of only letters would take around 2,000 years to crack. In comparison, an 8-character password mixing numbers, symbols and capital letters would only last… 17 years!
« Verifiers and CSPs should not impose other composition rules for passwords“, NIST clearly states in its new guidelines. So no more obligation to use special characters or capital letters.
No more regular changes
Another revolution: NIST now recommends against forcing users to regularly change their password. “ Auditors and CSPs will not require users to periodically change their passwords“, we can read in the recommendations.
Why this change? The organization believes that this practice often pushes users to create weaker passwords, simply because they will be easier to remember. Conversely, a password that is stable over time is more likely to be robust.
These new guidelines are part of a broader context of developments in our online practices. “ The way we browse the web has changed significantly in recent years“, recalls NIST. With the proliferation of online services, passwords are no longer the only authentication method available.
Some companies, like Microsoft, even allow you to do without a password altogether. Others rely on “access keys” as an alternative. In this new landscape, security is based more on a holistic approach than on the complexity of a password alone.
To go further
How to set up a passkey on your Google account to put an end to passwords
Double authentication, the ultimate barrier
Despite these changes, NIST emphasizes one crucial point: the importance of two-step verification. This method, which adds an additional layer of security, remains highly recommended for all important accounts.
To go further
Double authentication (2FA): why and how to secure your Google, Facebook, iCloud, Steam accounts, etc.
The organization specifies, however, that it is preferable to avoid SMS as a second factor of authentication. Better to choose a dedicated, more secure application.
Towards gradual adoption
It is important to note that these NIST recommendations are not binding on private companies. Only services related to the US government are required to follow them. However, NIST’s influence in the field of cybersecurity is such that we can expect a gradual adoption of these new practices.
In the meantime, what to remember for your own passwords? Choose length over complexity, opt for phrases that are easy to remember (like song lyrics), and above all, enable two-factor authentication on all your important accounts. Online security is evolving, it’s up to us to follow suit!
Our advice: switch to a password manager, it will make your life easier.
To go further
What are the best free and paid password managers?
Want to join a community of enthusiasts? Our Discord welcomes you, it is a place of mutual help and passion around tech.
