Why NIST Wants You to Remove Complexity From Your Password Policies

Rich campagna
June 8, 2020 | 5 min read | Security Posture

8 characters, special symbol, lower, upper, no repeating and a 90 day max. Try singing the de facto standard password policy and it sounds remarkably similar to the popular McDonald’s Big Mac song of the 80’s (for those too young, or too old, to remember, “two all beef patties, special sauce, lettuce, cheese, pickles, onions on a sesame seed bun).”

Unfortunately, passwords built using this scheme have proven as difficult to remember as the Big Mac jingle, so, NIST has changed their guidelines on creating password policies.

The biggest change? Hold the special sauce, I mean symbols.

Passwords are responsible for more than 80% of data breaches, so they represent a critical component in maintaining a strong security posture. In a well meaning effort to strengthen passwords, enterprises adopted password complexity policies meant to increase entropy so that passwords would be more difficult to crack. An unfortunate by product of these policies was that passwords also became much more difficult for users to remember.

The result?

Reflecting this reality, NIST created Special Publication 800-63B: Digital Identity Guidelines. As a government document, it reads like a government document, so let me boil down the new NIST Password Guidelines.

  1. 8 character minimum
  2. No complexity or special character requirements
  3. No password expiration
  4. Check against dictionaries and lists of previously breached passwords

Sounds great, but does this massive improvement in usability come at the expense of security?

As it turns out, no, it doesn’t.

There have been a number of academic studies on password strength. Two of note, both from Carnegie Mellon University:

Both studies look at a number of NIST password policy types, and present a range of interesting findings, but I’m going to focus on one comparison in particular – the “comprehensive 8” policy versus the “basic 16 policy.” Since these aren’t well recognized names, here are the policies:

  • comprehensive8: “Password must have at least 8 characters including an uppercase and lowercase letter, a symbol, and a digit. It may not contain a dictionary word.”
  • basic16: “Password must have at least 16 characters.”

According to NIST, these two policies should result in passwords with similar entropy. In real world use, however, the basic16 policy, despite not requiring any symbols or digits, resulted in passwords that were significantly more difficult to crack.

The chart below shows the % of passwords cracked for the 8 password policies tested in the studies. Note that for large numbers of guesses, around half as many of the basic16 passwords were guessed vs the comprehensive8 passwords.

At the same time, users found basic16 passwords both easier to create and easier to remember. More usability AND more security!

Since many people use their pets’ names for passwords, and since my dog, Churro, is lounging next to me as I write this post, let’s put these policies to the (not) ultimate test using dog-based passwords and one of many online password strength meters.

  • Comprehensive8
  • Basic16

Regardless of whether my dog-based password is as strong as the meter claims that it is, next time you’re reconsidering your organization’s password policy, you might want to think about listening to NIST and holding the special symbols.

You might also want to check out Balbix’s 2020 State of Password Use Report.