Allow users to choose long passphrases for passwords, NIST proposes

Poor password hygiene by employees and customers continues to be a major factor in data breaches, particularly as the cost of compute power falls making brute force attacks easier. Which is why 16-character passwords mixed with capitals, numbers and special characters is the recommended security best practice. Some organizations also encourage staff to at least once a year change their passwords.

But that has led to complaints about having to memorize complex strings.

Now the U.S. National Institute for Standards and Technology (NIST) is recommending a policy which may solve the problem: Allowing long passphrases.

Aa part of a draft guideline on authentication and lifecycle management released this week the agency suggests CISOs consider permitting the use of phrases up to 64 characters, and not necessarily including caps, numbers or special characters.

“Encourage users to make memorized secrets as lengthy as they want, using any characters they like (including spaces), thus aiding memorization,”  says the paper.

Not only that, passphrases shouldn’t need to be changed periodically, unless there’s evidence of a compromise or the user asks.

It could work, says a Canadian cyber security expert. “I generally agree with the notion that a longer password doesn’t necessarily need (frequent) rotation,” said Nicholas Johnston, Toronto-based vice-president of global eDiscovery, digital forensics and information security at Duff & Phelps, a corporate finance consultancy headquartered in New York.

“A very long password (or passphrase in this instance) is far less likely to succumb to a brute-force attack which was one of the initial inspirations for requiring password rotation. However, if we adopt long passphrases but don’t get out of the bad password re-use habit (i.e. using the same password for many sites and services) it will still present a risk. If one of the sites that uses your super long passphrase gets breached, you would have to go change all your passwords. Password rotation would mitigate that risk somewhat. A better control is just to have a different password for each site/service and use something like a password manager to keep track of them.”

Most security pros already say passwords should be long and complex, said Merritt Maxim, an identity and access management analyst at Forrester Research. He pointed as an example to Stanford University’s student and faculty guide (which manages to be simple and colourful. See it here.)  So for Maxim, NIST’s recommendation already follows password best practices.

However, he added, “deployments of this approach will be constrained for the user experience and resulting supporting costs.”

NIST hasn’t formally approved the recommendation yet and is still taking comments.

Any change to password length will depend on the ability of a login or application to accept longer strings. And long passphrases doesn’t negate the importance of two-factor authentication, which mitigates against stolen passwords.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Articles

ADaPT connects employers with highly skilled young workers

Help wanted. That’s what many tech companies across Canada are saying, and research shows...

Unlocking Transformation: IoT and Generative AI Powered by Cloud

Amidst economic fluctuations and disruptive forces, Canadian businesses are steering through uncharted waters. To...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now