A Fresh Take on Passwords: NIST’s New Guidelines for a Safer Digital World

Passwords. Love them or hate them (and let’s be honest, most of us fall into the latter category), they are the gatekeepers of our digital lives. Whether it’s for accessing your bank account, logging into your work email, or safeguarding sensitive company data, passwords are everywhere. Yet, despite their ubiquity, they are also one of the most criticized and inconvenient elements of modern security. Users forget them, reuse them, or—my personal favorite—write them on sticky notes attached to their monitors. Clearly, there’s room for improvement.

Enter the National Institute of Standards and Technology (NIST). NIST is a U.S. federal agency that develops and promotes standards, including those for cybersecurity. Think of them as the rulebook writers of the digital world, ensuring that organizations have a baseline to follow. Their guidelines influence how we manage and secure digital identities. Now, they have revised their stance on passwords.

Revisiting NIST’s Old, Tiresome Password Rules

Traditionally, NIST’s guidance on passwords felt like it was inspired by a “harder is better” philosophy. Their old rules, once considered the gold standard, pushed for complex combinations—uppercase, lowercase, numbers, special characters, and a minimum length of eight characters. Additionally, they recommended frequent password changes, every 60 to 90 days, whether you liked it or not. These rules aimed to make passwords hard for attackers to guess but, unfortunately, they also made it nearly impossible for users to remember.

To make matters worse, users often created predictable variations like “Password1!” or “Summer2024!”, which met NIST’s complexity requirements but were anything but secure. The result was a lot of frustration, password fatigue, and ultimately, a password ecosystem that wasn’t as secure as it seemed. NIST’s old rules, despite good intentions, were becoming outdated in an evolving digital landscape.

New Password Rules Move Away from “Complexity at all costs”

NIST’s new publication, SP 800-63B, signals a shift away from this “complexity at all costs” mentality. The new approach is more about practicality and user behavior. Here’s the crux of what’s changed:

  • Elimination of Mandatory Password Changes: NIST now advises against forcing routine password changes unless there’s evidence of compromise. This is a significant departure from the old 60-to-90-day rotation rule.
  • Focus on Longer Passwords: Instead of complex eight-character passwords, NIST encourages longer passwords or passphrases, ideally 15-64 characters long. Length is the new complexity.
  • Screening Against Common Passwords: The new rules suggest screening passwords against a blacklist of common passwords (e.g., “123456” or “password”), as well as those compromised in data breaches.
  • Simplification of Complexity Requirements: No more forcing special characters, uppercase letters, or numbers. The focus is on letting users create memorable, longer passphrases.

The Benefits and Reasoning Behind the New NIST Password Rules

So, why the shift? NIST’s new approach focuses on making passwords both secure and user-friendly. The reasoning is simple: people are more likely to choose secure passwords if they don’t feel overly burdened. Longer passphrases, like “iloverunningintherain,” are easier to remember and far harder to crack than “Pa$$w0rd!” despite their simplicity.

By eliminating forced password changes, NIST acknowledges that users tend to create weaker passwords when pressured to change them frequently. Instead of randomizing complex characters, they might just increment a number or append “!” to a previous password—hardly a security improvement.

Additionally, the emphasis on screening passwords against known compromised lists addresses the reality that attackers often leverage databases of leaked credentials. This way, even if users choose a seemingly simple password, it won’t be allowed if it’s too common or previously exposed.

Pros and Cons of the New Rules

Pros:

  • User-Friendly: The shift to longer passphrases over complex short passwords and fewer forced changes reduces user frustration and the likelihood of poor password practices (like writing them down or reusing them).
  • Better Security: Screening against known compromised passwords increases the effectiveness of password policies, ensuring even simple but memorable passphrases offer more security.
  • Adaptability: The new rules acknowledge that different contexts and environments may require different approaches, allowing flexibility for organizations to implement contextually appropriate policies.

Cons:

  • Overreliance on Length: While longer passwords are generally more secure, they may still be vulnerable if users create predictable phrases. According to HIVE Security’s research, length alone does not provide sufficient protection—passwords must also be random and complex to be truly effective. Even long phrases like “thisismypassword2024” could be compromised quickly if attackers identify predictable patterns.
  • Reduced Complexity Requirements: Dropping character-type requirements might lead to simpler passwords that, while longer, could still be easy to guess for sophisticated attackers. HIVE’s findings underscore that attackers can use advanced algorithms and brute force tools that efficiently crack predictable long passwords if they lack adequate complexity.
  • Potential for Complacency: By removing mandatory password changes, there’s a risk of users becoming complacent and not updating their passwords even when necessary. HIVE’s research supports the notion that a combination of length, complexity, and frequent updates is crucial, especially for critical accounts and sensitive systems.

These findings highlight that while NIST’s guidelines aim for a balanced approach, relying solely on passphrase length without incorporating complexity can leave systems vulnerable.

Challenging the New Rules: A Balanced Perspective

While NIST’s new guidelines are a step in the right direction, they don’t eliminate the need for a nuanced approach. It’s tempting to take these guidelines as gospel and think you’re covered, but security is about context and risk management. For example, while mandatory password changes might be less necessary for most users, critical accounts like admin credentials and access to sensitive systems may still benefit from periodic updates, especially when monitoring and detection capabilities are limited.

Even when using multi-factor authentication (MFA) and other layers of authentication protection, it’s important to recognize that these measures are not bulletproof. Each layer has its own vulnerabilities—MFA can be bypassed through phishing, SIM-swapping, or social engineering attacks, and biometric systems can be tricked. This means that having a strong, secure, and complex password remains a highly important aspect of defense, as it serves as the first barrier an attacker must overcome.

HIVE Security’s research shows that while longer passphrases are helpful, they are not sufficient on their own if they are not complex. People tend to be creatures of habit, and even with longer options, they might stick with predictable patterns. NIST’s guidelines offer a solid foundation, but they aren’t a one-size-fits-all solution. Regular risk assessments, monitoring for breaches, and employing MFA remain critical components of a robust password strategy, but they must be accompanied by strong password hygiene. By maintaining these fundamentals and not becoming complacent with any single layer of protection, organizations can build a resilient and adaptive security posture.

Conclusion

NIST’s new guidelines represent a much-needed modernization of password management. They move away from overly complicated requirements that frustrated users and didn’t necessarily improve security. By focusing on practical, user-friendly solutions like longer passphrases and eliminating unnecessary password changes, NIST aligns better with how people use and remember passwords in real-world scenarios. This shift is not just about improving security but also about improving compliance—when security measures are easier to follow, people are more likely to follow them.

However, it’s important to remember that no single set of guidelines will fit every situation perfectly. The new NIST rules are a strong foundation, but organizations should tailor them to their unique risk profiles and threat environments. Whether that means adding complexity back in, requiring occasional password changes for critical accounts, or pairing these measures with other layers like MFA and biometric authentication, the key is not to become complacent. Even with the best guidelines, strong and secure passwords remain an essential part of a layered security approach.

In the end, passwords are still a critical defense mechanism, and while the goal is to make them easier to manage without compromising security, organizations must remain vigilant. The balance between usability and security is a delicate one, and while NIST’s new rules make strides in the right direction, it’s up to each organization to assess their own risks and ensure that they build the most resilient password policies possible.

How Suridata Helps Build Stronger SaaS Security Postures

As organizations embrace NIST’s modern guidelines and move beyond traditional password management, it’s crucial to ensure that these improvements extend to SaaS ecosystems. Suridata’s SaaS Security platform provides comprehensive visibility into the risks posed by misconfigurations, third-party integrations, and user behavior across SaaS applications. With an agentless, non-intrusive approach, Suridata identifies weak points—such as missing or weak MFA requirements, non-idP user accounts, compromised credentials or unauthorized third-party access—enabling organizations to enforce security policies proactively. By continuously monitoring user activities, including password hygiene and access patterns, Suridata ensures that companies not only comply with best practices but also stay ahead of potential breaches across the entire SaaS environment.


Haviv Ohayon

Co-Founder & COO

Back to list

Confronting the Risk of Shadow AI

Close your eyes and try to picture the following scenario, which could be happening in your organization at this very moment: An employee uses a personal credit card to sign up for a software-as-a-service (SaaS) solution for generative artificial intelligence (GenAI). The solution touts its ability to create a customized large language model (LLM) based on your organization’s unique data set. It goes to work ingesting documents from your internal file repositories and quickly becomes capable of generating written content that’s aligned with your business needs. No one in your IT department, security team, or AI governance body has any idea that this is happening.

That’s good, right? Maybe not…. While it’s great that your employees are showing initiative, this kind of “shadow AI” activity is actually a serious source of risk exposure. Like shadow IT and shadow SaaS, shadow AI creates many different opportunities for security problems. These include data leakage, compliance violations, and legal liability. This article explores the nature of shadow AI and discusses way to mitigate the threat it poses.

What is Shadow AI?

Most well-run enterprises have established processes and policies for AI’s acquisition and deployment. Designated stakeholders in IT, security, compliance, and legal will typically weigh in on whether to adopt a particular AI tool, and if so, what safeguards need to be in place to prevent accidental data leaks and other problems. The term “shadow AI” refers to the use of AI that hasn’t gone through this vetting process. A shadow AI instance may function without anyone in authority knowing it exists.

Why does shadow AI happen? While it’s certainly possible that employees will act irresponsibility and ignore policy, it’s more likely that that shadow AI occurs by mistake. People may not be familiar with the policies. Or, and this is where real trouble can arise, they neither understand how AI works nor how the technology is embedded into the tools they are using.

Why Shadow AI is a Serious Source of Risk Exposure

To understand why shadow AI is problematic, it helps to have a grasp of the different types of AI software and how they work. A library full of books has been written on this topic, but briefly, AI is a field of computer science focused on developing software that can perform human-like reasoning, creativity, and task execution.

There are AI programs that analyze data and spot useful patterns, like social media sentiment. AI programs can examine texts, such as emails, and summarize them, e.g., Microsoft CoPilot. Robotic process automation (RPA) leverages AI to complete business process workflows. GenAI can write text and software code, create art, and so forth.

This varied set of use cases aside, all AI programs have one thing in common: They work by ingesting data and “training” to perform their designated work, e.g., reading millions of emails to learn how to spot fraud. The necessity to ingest data is one of the main drivers of security risk in AI, especially when AI software is running in the shadows.

Shadow AI is a source of risk exposure across multiple zones, including:

  • Data breach/leakage, e.g., an AI program exfiltrating data to unauthorized parties.
  • Compliance challenges, e.g., AI sharing customers’ private information, in violation of consumer privacy laws.
  • Loss of intellectual property (IP), e.g., AI allowing unauthorized access to patent research or other IP.
  • Disruption of operations, e.g., AI causing confusion among employees by generating incorrect information for use in business process workflows.
  • Hallucinations, e.g., AI generating fictitious statements that might be confusing or offensive.
  • Fraud, e.g., an RPA software robot programmed to steal customer credit card numbers.

Shadow AI vs. Shadow IT and Shadow SaaS

Shadow AI is comparable to, but different from, shadow IT and shadow SaaS. Shadow IT and shadow SaaS involve employees acquiring software (usually SaaS) or hardware, like mobile devices, without consulting the IT department or security team. Some of the security risks are similar, such as storing confidential corporate information on an easily accessible cloud platform like Google Docs or Box.com.

One difference is that shadow AI has the potential to reach into data repositories without anyone knowing what’s happening. An AI program can also execute tasks that are hidden from view. For these reasons, shadow AI’s reach and potential for damage is greater than that of shadow IT or shadow SaaS.

Another critical distinction is that shadow AI may occur inside of everyday applications that people are already using. It’s in the shadows, but also in broad daylight! The software industry expects to add AI features to its products in the coming years. As a result, employees might use AI without even knowing it’s there.

Shadow AI vs. Rogue AI

Shadow AI and rogue AI are comparable, and overlap, to a certain extent. However, they are different problems. Rogue AI comprises AI software that performs differently from the way it’s been instructed. This could be by accident, such as with a misconfiguration, but also due to hacking. A malicious actor who can gain access to AI source code or an administrative panel could instruct the software to commit fraud, harvest sensitive data, or generate written content that causes problems for a business.

Mitigating Shadow AI Risks

What can you do about shadow AI? A multi-threaded set of countermeasures is the best approach. No single security tool can identify and mitigate shadow AI. Basic cyber hygiene and well-informed employees are a given. To get to a strong security posture with shadow AI, it’s best to deploy the following combination of security solutions, configured for the anti-shadow AI use case:

  • Data loss prevention (DLP) – which tracks data as it moves around and flags suspicious situations that indicate the presence of shadow AI.
  • Cloud access security broker (CASB) – which detects and blocks shadow SaaS by monitoring and analyzing cloud user traffic.
  • SaaS security data scanning – which identifies where SaaS apps have stored corporate data and flags suspicious instances that could be shadow AI.
  • SaaS security user and session monitoring – which flags suspicious software activity that indicates shadow AI at work.
  • SaaS security configuration monitoring, including third-party integration – which detects situations where a shadow AI application may be connecting with data sources that should be off limits.

Conclusion

Shadow AI is likely to be a widespread problem. It can occur by accident, with employees inadvertently allowing unauthorized AI software to tap into corporate data sources. Risks include data leakage, compliance violations, legal liability, and more. The trend of software companies embedding AI features into existing products will exacerbate the risk exposure. It is possible to mitigate the risk, however, using a multi-threaded approach that blends DLP, CASB, and different SaaS security methods, such as user and session monitoring.  With this approach, it will be possible to reduce the potential impact of shadow AI on security, compliance, and operations.


Haviv Ohayon

Co-Founder & COO

Back to list

Suridata Announces Strategic Partnership with World Wide Technology (WWT) to Enhance SaaS Security Solutions

New York, New York – August 5th, 2024 – Suridata, a leading innovator in SaaS security solutions, is thrilled to announce a strategic partnership with World Wide Technology (WWT), a global technology solutions provider. This collaboration aims to leverage the strengths of both companies to deliver cutting-edge SaaS security solutions that address the evolving challenges in the digital landscape.

Innovative Collaboration

The partnership between Suridata and WWT marks a significant milestone in the field of cybersecurity. Suridata’s advanced SaaS security technologies, combined with WWT’s extensive expertise in IT infrastructure and integration, will provide businesses with comprehensive, scalable, and robust SaaS security solutions.

Key Highlights of the Partnership

  • Enhanced Capabilities: Integrating Suridata’s SaaS security platform with WWT’s offerings to provide superior threat detection and response for SaaS applications.
  • Scalability and Integration: Leveraging WWT’s global infrastructure and integration services to ensure seamless deployment and scalability of Suridata’s SaaS security platform across various platforms.
  • Comprehensive Security: Offering end-to-end SaaS security solutions that protect businesses from emerging threats and vulnerabilities in the SaaS ecosystem.
  • Expert Support and Services: Providing expert consultation, implementation, and support services to help businesses optimize their SaaS security posture.

Leadership Quotes

“We are excited to partner with WWT to enhance the security of SaaS applications,” said Lee Kappon, co-founder & CEO of Suridata. “This partnership allows us to combine our cutting-edge security technology with WWT’s extensive expertise to deliver unparalleled security solutions to our clients.”

“WWT is proud to collaborate with Suridata in this innovative venture,” said Bob Olwig, EVP, Global Partner Alliance sat WWT. “Together, we aim to provide our customers with the most advanced and reliable SaaS security solutions in the market.” For more information visit: https://www.wwt.com/partner/suridata/overview


About Suridata

Suridata’s SaaS runtime security solution detects and prevents breaches originating from SaaS applications, safeguarding enterprises against exploitation of existing attack paths.

The extensive use of SaaS applications, APIs, and service accounts creates a complex SaaS network with thousands of interconnections. Suridata maps this network and the associated risks, connects the dots to understand the attacker’s perspective, and identifies active attack paths that can be exploited. With Suridata’s solution, security teams can break these attack paths and respond to critical risks effectively.


About World Wide Technology
Founded in 1990, World Wide Technology (WWT), a global technology solutions provider leading the AI and Digital Revolution, with $20 billion in annual revenue, combines the power of strategy, execution and partnership to accelerate digital transformational outcomes for large public and private organizations around the world. Through its Advanced Technology Center, a collaborative ecosystem of the world’s most advanced hardware and software solutions, WWT helps customers and partners conceptualize, test and validate innovative technology solutions for the best business outcomes and then deploys them at scale through its global warehousing, distribution and integration capabilities.

With nearly 10,000 employees and more than 55 locations around the world, WWT’s culture, built on a set of core values and established leadership philosophies, has been recognized 13 years in a row by Fortune and Great Place to Work® for its unique blend of determination, innovation and leadership focus on diversity and inclusion. With this culture at its foundation, WWT bridges the gap between business and technology to make a new world happen for its customers, partners and communities.


Suridata Media Inquiries:

Contact:                 Levona Simha, VP Marketing

Email:                     Levona@suridata.ai

Phone:                   +972-523536638

Website:               www.suridata.ai


WWT Media Inquiries:

 Contact.   Rebecca Morrison, Manager, Corporate Communications

 Email:       communications@wwt.com  

Website:  https://www.wwt.com/


Levona Luna Simha

VP Marketing

Back to list