streamWrite Blog

News, events and useful information

Why aren't NIST password guidelines being adopted?

I have for many years felt that complex password guidelines, combined with regular expiration dates, creates a recipe for weakened rather than strengthened security. We've all had to deal with it: passwords must be 8 or more characters and contain at least one of each of the following: lower case letter, upper case letter, number, special character, something like this: Xtrain99#. In addition, you have to change this every sixty days and cannot reuse prior passwords.

Now multiply this by differing rules implemented by many of the different systems you use on a regular basis, and you end up recording all of these passwords somewhere, hopefully not on a sticky note attached to your computer.

Unfortunately, I felt like I was swimming upstream in a deluge of password complexity that would never let up.


Enter new guidelines from the NIST, National Institute of Standards and Technology, a department of the U.S. Department Commerce, swapping out prior guidelines for new simpler, more sensible ones and I started to feel vindicated: 

  • Passwords should never expire
  • No complexity or variety rules
  • Minimum length of 8 characters
  • Maximum length of 64 characters

And some additional recommendations such as NOT having any hints (questions like where did you go to high school and what was the name of your first parakeet), only enforcing  password changes when it is forgotten or a potential breach is discovered and checking against lists of known bad passwords...

Yes I started to feel like some sanity on passwords was coming to light. I did not expect these changes, officially adopted in 2017, to hit the mainstream immediately, but nor did I expect that three years on, there would be almost no sign of widespread adoption.

Bill Burr, the employee at NIST who initially wrote the complexity guidelines came forth that they actually had no real experiences to draw from, and just did what they thought was right at the time. Ultimately he recanted the guidelines in favor of the newer policies: Wall Street Journal New Password Tip: N3v$r M1^d!

Gizmodo sums it up nicely with this graphic from their article on the subject, Gizmodo, Inventor of Password Rules Regrets Wasting Your Time.

correct horse battery staple


But, none of this answers my original question. Why we are still being forced to use the outdated guidelines when they have been completely debunked and new more realistic guidelines have been put forth?

I'll keep waiting and hoping for the day when I know longer have to maintain a password protected list of over 400 credentials along with answers to random security questions about parakeets.