The landscape of password management is evolving rapidly. Recent guidance from the National Institute of Standards and Technology (NIST) is challenging outdated norms, such as frequent password changes and complex requirements that were once seen as essential to security.
While these updates mark progress, SSH Communications Security believes it’s time to take an even bolder step: moving beyond passwords entirely.
Shifting Perspectives on Password Security
NIST’s updated guidelines reflect a reimagined approach to password security. For example, they now recommend a minimum password length of 8 characters (with support up to 64 characters) and suggest eliminating periodic changes unless there’s evidence of compromise. They also discourage using security questions and hints, opting for stronger verification methods, and endorse password managers to handle complex passwords more efficiently.
Although these changes improve the security landscape, we believe there’s an even better way forward—one that doesn’t rely on passwords at all.
Key Recommendations in NIST’s Guidance
NIST’s guidance includes the following recommendations:
- Minimum password length of 8 characters, with a preference for 15 characters or more.
- Allowing up to 64 characters in password length.
- Accepting a broad range of characters, including all printing ASCII characters, spaces, and even Unicode characters.
- Avoiding composition rules, like mixing character types, that add complexity without significantly boosting security.
- Removing the need for periodic password changes, unless a compromise is suspected.
- Prohibiting the use of hints accessible to unauthenticated users.
- Avoiding knowledge-based questions, such as “What’s your mother’s maiden name?”
- Ensuring that the full password is verified without truncation.
These changes represent a positive shift away from complex passwords; however, even the best-managed passwords remain susceptible to risks.
Why Passwords Are No Longer Sufficient
While NIST’s guidelines advocate for password managers and multi-factor authentication (MFA), we believe the future lies in eliminating passwords altogether. Passwords, even when managed with care, remain vulnerable to threats like phishing, credential reuse, and data breaches.
In fact, according to IBM, compromised credentials are the initial attack vector in 16% of breaches, while Verizon reports that nearly 38% of breaches involve credential compromise.
At SSH, we’re pushing the envelope by combining advanced biometric authentication with robust authorization controls for secure access to critical resources. This approach creates an end-to-end passwordless model for privileged access management, from verifying user identity to assigning roles and privileges during each session.
With this approach, users never see or handle credentials, eliminating the need to manage them. This creates a multi-layered defense that is more secure, scalable, and user-friendly than traditional password-based methods.
Beyond NIST: The Path to Passwordless Security
NIST’s guidelines lay the foundation for a more secure framework, but at SSH, we are advancing beyond traditional password management to fully passwordless solutions. Our commitment is to deliver security that not only meets but redefines regulatory standards.
About DT Asia
DT Asia began in 2007 with a clear mission to build the market entry for various pioneering IT security solutions from the US, Europe and Israel.
Today, DT Asia is a regional, value-added distributor of cybersecurity solutions providing cutting-edge technologies to key government organisations and top private sector clients including global banks and Fortune 500 companies. We have offices and partners around the Asia Pacific to better understand the markets and deliver localised solutions.
How we help
If you need to know more about NIST guidelines, you’re in the right place, we’re here to help! DTA is SSH’s distributor, especially in Singapore and Asia, our technicians have deep experience on the product and relevant technologies you can always trust, we provide this product’s turnkey solutions, including consultation, deployment, and maintenance service.
Click here and here and here to know more: https://dtasiagroup.com/ssh/