NIST Has Spoken: Death to Complexity, Long Live the Passphrase!

min read

NIST has spoken, and we could not be more excited.1 For years, the security community has inflicted one of the most painful behaviors to date — the dreaded complex password. We have watched many times in horror as security researchers made fun of ordinary computer users for using simple passwords, often calling out hacked databases of passwords and bemoaning what is wrong with the world. In reality, these very same people should have taken the time to look in the mirror and see what they were inflicting on others.

Strong passwords are so simple! All you need is 12 characters, one upper case character, one lower case character, one number, one symbol, and nothing known about you. Then change all your passwords every 90 days. Oh, did we mention that you must have a unique, complex password for every account and never, ever write it down. How could it be any simpler?

For years people and organizations like Per Thorsheim's PasswordsCon, Dr. Cormac Herley, Dr. Angela Sasse, and the UK's National Cyber Security Centre (NCSC) have fought against this. Finally, these painful behaviors have been put to rest by NIST in their official publication, SP 800-63-3, Digital Identity Guidelines. While it's a rather large series of documents, they cover passwords in sections,, and Appendix A. Long story short, NIST states:

  • Complexity is dead; focus on password length. Stop inflicting painful complexity requirements, instead long live the passphrase.
  • Time for password expiration to die. Only change passwords if you are concerned they may have been compromised.
  • Systems should support the use of password managers. Password managers are simple to use and help you securely store all your passwords or passphrases in one place.

At first, this may not sound like a big deal, but these changes are huge. We are bringing common sense into the world of passwords. Instead of trying to focus on what is the academically PERFECT password, we are taking the human element into consideration. Far too often, security fails because we forget people are involved. Complex passwords are not only confusing to remember, but time consuming and painful to manually type in. In fact, the Wall Street Journal published a fascinating article on the background behind NIST's original thinking and how the original authors now feel just how bad password complexity is. It's even more painful when you require people to change these complex passwords regularly.

The biggest resistors to these changes will most likely be the highly technical security community who repeatedly forget that people are a part of any organization's security, and that every behavior also has a cost. In addition, certain organizations may be required to use password complexity due to regulations or standards such as NERC CIP-007-6 R5.2


  1. For those who want to read more about NIST's stance on passwords, you can download Special Publication 800-63, Digital Identity Guidelines.
  2. For more on the related topic of password expiration and how to address the risks of passwords with minimal cost to your organization, read Lance Spitzner's recent Security Matters blog, Time for Password Expiration to Die.

Lance Spitzner is director of the SANS Institute Securing the Human Program. Follow @lspitzner on Twitter or visit his Security Awareness Blog.

© 2017 Lance Spitzner. This EDUCAUSE Review blog is licensed under Creative Commons BY-NC-SA 4.0.