NIST Releases New Password Rules

We’ve known for a long time that passwords generally suck. But what is somewhat new is all the research into how passwords are generally bad and how to fix them so that they’re better. The United States National Institute for Standards and Technology (NIST) has collected all this research and is formulating guidelines for password policies to be used across the whole of the US government.

This is great news and is even being developed in public on GitHub!1 It is a collection of password best practices that every website or application developer should follow. My favorite part is:

Applications must allow all printable ASCII characters, including spaces, and should accept all UNICODE characters, too, including emoji!

  1. Under the rather opaque name of “Special Publication 800-63-3: Digital Authentication Guidelines”. That’s bureaucracy for you :laughing: 



Copyright © 2010-2021 by Lee Dohm