Skip to main content
close search
site logo

When password rules change, who benefits?

As the National Institute of Standards and Technology rolls out updated password guidance, some experts want to make passwords a thing of the past.

Published Dec. 2, 2024
By Sue Poremba
A large commercial building with a green grass lawn is framed through a wire metal fence mesh. National Institutes of Standards and Technology in Gaithersburg, Md., on April 17, 2022.
National Institutes of Standards and Technology in Gaithersburg, Md., on April 17, 2022. The image by Jerrye & Roy Klotz, M.D. is licensed under CC BY-SA 4.0

Nobody likes passwords. Or, more specifically, nobody likes trying to remember passwords, especially when company systems force users to change their passwords every 60 or 90 days. 

Industry standards had evolved to encourage users frequently change passwords, incorporating a complicated series of upper and lower case letters, numbers and symbols between eight and 12 characters. It was supposed to thwart credential theft, so that’s what companies enforced.

But the National Institute of Standards and Technology is changing its password recommendations in an effort to improve digital identity guidelines. 

The agency no longer recommends users change passwords four or six times a year. Instead, a new password is in order if the previous one was compromised. 

While NIST says passwords should have a minimum of eight characters, it recommends passwords with 15 characters and passphrases up to 64 characters without all the complex combinations. 

The reason for the changes is the theory that forcing these requirements actually made passwords weaker. 

That sounds like great news for anyone who suffers from password fatigue, but more people are using using some sort of password manager, whether it is a third-party option or tools built into operating systems. 

Many companies require some sort of multifactor authentication or biometric system to add layers of protection for credentials and some let you skip the password stage altogether.

Even advancements in authentication technology have not spelled the end for passwords. 

Passwords aren’t going anywhere because they continue to be required as part of regulatory compliance, according to Stephen Lee, VP, technical strategy and partnerships at Okta. 

“And part of it is a legacy thing because most applications still use a password,” said Lee at Okta’s Oktane conference. 

Sometimes there is no other option. There are industries and companies that have barriers to using other authentication technologies. Many government agencies, for instance, don’t allow employees to have smartphones in their offices, so they can’t use authenticators that rely on SMS or app-based authorization. 

Preventing identity-based attacks

Passwords are no longer a thing of the present — they should be thought of as a thing of the past, according to Charlotte Wylie, deputy CSO at Okta. They are cumbersome, and weak passwords are too easy to guess. 

This leads to identity-based attacks, exposing not only the users but also the data they are producing.

From a governance standpoint, to protect data and networks, the key is to make sure that the right people have the right access at the right time. Rather than emphasize particular password guidelines, it is better to use an identity governance tool that is based on lifecycle management. 

“Identity and security go hand in hand, so it is about securing identity from zero trust,” said Wylie during a conversation at Oktane in Las Vegas. 

An increasing number of attacks involve identity, which makes it important that access is strictly managed and that security is baked into the identity solutions. 

“We want our customers to adopt that technology as quickly as possible to reduce the chances of having identity-based attacks,” said Wylie.

There is a movement to support identity governance and continuous contextual authentication authorization, which should ensure that users have access to the right applications or data at the right time. 

Focusing on identity governance solutions and moving away from the more traditional authentication models prevents downtime, takes away the security risk of unauthorized access and builds better collaboration, according to Punit Minocha, EVP business and corporate development with Zscaler. 

Through continuous contextual authentication authorization, security teams are able to catch questionable access and possible credential theft in real time. With zero trust architectures, and solutions like single sign on and identity access management, the importance of the password decreases, said Lee. 

Shifting the focus to tools around identity governance also benefits companies when onboarding or offboarding employees. It can also help when employees are moving into new roles or taking on new projects — it takes time for IT to add and remove access. 

Filed Under: Strategy

Editors' picks

Company Announcements

View all | Post a press release
DigiCert Unveils 2025 Security Predictions
From DigiCert
November 21, 2024
Whalebone Ranks Third Straight Year Among Central Europe’s 50 Fastest-Growing Companies
From Whalebone
November 25, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
Editors' picks
Latest in Strategy
Industry Dive is an Informa TechTarget business.
© 2024 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.