The traditional approach to password management is changing fast. Recent guidelines from the National Institute of Standards and Technology (NIST) challenge outdated practices such as frequent password changes and overly complex combinations.
While these updates are a step forward, at SSH Communications Security, we believe it’s time to move beyond passwords altogether.
NIST’s guidance marks a shift in how we view password security. For example, it’s recommended that the passwords should be of at least 8 characters, extendable to 64, without the need for periodic changes unless compromised.
It’s also discouraged the use of security questions and hints, favoring stronger verification methods. Password managers are suggested to handle long, complex passwords efficiently.
Although these changes are welcome, we believe there’s a more effective way to secure data—and that’s thinking beyond passwords entirely.
Key password recommendations
- Requirement for passwords to be a minimum of eight characters in length and recommendation for passwords to be a minimum of 15 characters in length.
- Allowing a maximum password length of at least 64 characters.
- Accepting all printing ASCII [RFC20] characters and the space character in passwords.
- Verifiers and CSPs SHOULD accept Unicode [ISO/ISC 10646] characters in passwords. Each Unicode code point SHALL be counted as a single character when evaluating password length.
- No other composition rules (e.g., requiring mixtures of different character types) for passwords.
- No periodic change of passwords, unless there is evidence of a compromise.
- Prohibition to store a hint that is accessible to an unauthenticated claimant.
- No asking to use knowledge-based authentication (KBA) (e.g., “What was the name of your first pet?”) or security questions when choosing passwords.
- Verifying the entire submitted password (i.e., not truncate it).
NIST’s guidelines reflect a shift away from reliance on complex passwords. However, even long, well-managed passwords remain inevitably vulnerable.
Why passwords are no longer enough
While NIST promotes password managers and biometric multi-factor authentication (MFA), we believe the future lies in going passwordless. Password managers may simplify password use, but passwords themselves—even when managed securely—are still a weak point. Phishing, password reuse, and data breaches still make them a weak link in securing your systems.
According to IBM, compromised credentials are the top initial attack vector in 16% of all breaches. According to Verizon, almost 38% of breaches involved compromised credentials.
At SSH, we’ve taken it a step further by combining strong biometric authentication to verify identities with robust authorization controls for accessing critical targets. This model makes privileged access management end-to-end passwordless all the way from ID verification, assigning a role and the level of privilege for the session and when authorizing access to the target.
The user never sees or handles any credentials, and there is no longer need to manage them. This creates a multi-layered defense that doesn’t rely on passwords at all. This method is more secure, scalable, and user-friendly.
NIST’s guidelines offer an improved framework, but at SSH, we’re pushing beyond traditional password management. We’re committed to fully passwordless solutions that not only meet regulatory standards but redefine them.
Learn more about our PrivX, Passwordless and Hybrid Privileged Access Management Solution.
Related content:
