Listen to this Post
The National Institute of Standards and Technology (NIST) has officially updated its guidelines (NIST Special Publication 800-63B) to discourage outdated password practices. Key changes include:
– No more forced 90-day password rotations
– No mandatory special characters
– Focus on longer passphrases
– Checking against known compromised passwords
Modern security emphasizes smarter defaults rather than punishing users with complex, hard-to-remember passwords. The shift aligns with industry trends toward passwordless authentication (e.g., JWTs, OAuth, passkeys).
๐ Reference: NIST SP 800-63B
You Should Know: Practical Implementation & Security Best Practices
1. Enforcing Strong Passphrases (Linux/Windows)
Instead of `P@ssw0rd!`, encourage passphrases like `CorrectHorseBatteryStaple`.
Linux (PAM Configuration)
Edit `/etc/security/pwquality.conf`:
sudo nano /etc/security/pwquality.conf
Add/modify:
minlen = 14 maxrepeat = 3 dictcheck = 1 usercheck = 1 enforcing = 1
Windows (Group Policy)
1. Open `gpedit.msc`
2. Navigate to:
`Computer Configuration โ Windows Settings โ Security Settings โ Account Policies โ Password Policy`
3. Set:
- Minimum password length: 14
- Enforce password history: 0
- Password must meet complexity requirements: Disabled
2. Checking for Compromised Passwords
Use Have I Been Pwned (HIBP) API or `libpwquality` for real-time checks.
Linux (Using `pwnedpasswords` CLI Tool)
curl -s "https://api.pwnedpasswords.com/range/$(echo -n 'YourPassword123' | sha1sum | cut -c1-5)" | grep -i $(echo -n 'YourPassword123' | sha1sum | cut -c6-40)
Windows (PowerScript for AD Checks)
Import-Module ActiveDirectory
$Users = Get-ADUser -Filter -Properties PasswordLastSet
foreach ($User in $Users) {
if ($User.PasswordLastSet -lt (Get-Date).AddDays(-365)) {
Write-Output "$($User.SamAccountName) has not changed password in over a year!"
}
}
3. Migrating to Passwordless Authentication
Linux (SSH Key-Based Auth)
ssh-keygen -t ed25519 ssh-copy-id user@remote-server
Disable password login in `/etc/ssh/sshd_config`:
PasswordAuthentication no ChallengeResponseAuthentication no
Windows (Windows Hello for Business)
1. Run:
Enable-WindowsHelloForBusiness -GroupPolicy
2. Deploy via Intune or GPO.
What Undercode Say
NISTโs shift reflects real-world security:
โ Longer passphrases > complex gibberish
โ Stop forcing resets unless compromised
โ Adopt passwordless where possible
Yet, enterprises lag due to PCI-DSS, legacy systems, and compliance inertia. The future? Passkeys, FIDO2, and biometricsโbut until then, enforce NISTโs guidelines proactively.
Prediction
- 2025-2026: Major breaches will push enterprises to fully adopt passwordless auth.
- Regulatory bodies (PCI, ISO 27001) will align with NIST by 2027.
Expected Output
๐น Strong passphrases enforced
๐น Compromised password checks in place
๐น Passwordless auth (SSH keys, Windows Hello) deployed
๐น Legacy password policies deprecated
๐ Further Reading:
IT/Security Reporter URL:
Reported By: Bsloane Nist – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass โ
