How to deal with password complexity

The National Institute of Standards and Technology (NIST) is finalizing the latest revision of its Digital Identity Guidelines (SP-800-63-4), introducing new recommendations for password management that aim to improve security while reducing user burdens. The updated guidelines encourage using longer but easier–to–remember passwords and extend the password lifecycle by eliminating mandatory regular resets. The goal is to create passwords that are both secure and user-friendly. However, while these changes represent progress, they still present usability and security challenges. 

The usability issues with longer passwords 

Although NIST’s recommendations simplify password creation and management, they still pose difficulties: 

1. Password length
   To address memorization issues, NIST recommends simplifying password complexity rules. For instance, users no longer need to always include special characters, numbers, or mixed-case letters. While this makes passwords easier to remember, it also increases the risk of brute-force attacks. To mitigate this, NIST suggests increasing password length to between 15 and 24 characters, encouraging users to create passwords that are easier to remember yet unique across different accounts. 
2. Password strength
   According to NIST, password strength relies on both length and complexity. While the guidelines reduce complexity requirements (e.g., removing the need for special characters), passwords must still be non-trivial, passing checks against lists of compromised passwords and avoiding simple dictionary or context-specific words. This means users must still create strong, unique passwords to pass these verification processes. 
3. Password fatigue 
   NIST also seeks to reduce “password fatigue” by no longer requiring periodic password changes. Instead, password resets are only recommended following a known security compromise of the account or authentication service. However, in a world where users manage multiple accounts, the need to remember numerous distinct passwords remains a challenge. 

Something you might like: Trading off self-custody for easy wallet recovery

Why are passwords still widely used as a single authentication factor?

Despite NIST’s guidelines recommending multi-factor authentication (MFA), passwords are still widely used as a single authentication factor. This is mainly because passwords are simple, cost-effective, and universally understood, making them easy to implement across different systems and platforms. Although stronger authentication methods like cryptographic keys provide higher security, they often require additional infrastructure, costs, or user training, which can be challenging to adopt at scale. 

Is there an alternative to passwords with similar benefits?

Passwords are easy to adopt because they are based on a “something the user knows” authentication factor. However, NIST’s new guidelines highlight that passwords have inherent conflicts between security and usability requirements, raising an important question: Is it possible to find an alternative to passwords? This is where Secrets Vault steps in, offering an alternative “something the user knows” factor: rather than relying on complex or lengthy passwords, Secrets Vault uses familiar images as “visual passcodes” to authenticate users securely. This approach is made possible by the visual cryptography and secret-sharing techniques implemented in the Secrets Vault solution. 

Here’s how Secrets Vault addresses NIST’s usability challenges: 

1. Memory-friendly security
   Instead of remembering long combinations of letters or words, users can rely on a familiar image to retrieve their credentials. Images are naturally easier to remember, enhancing security without adding complexity. They are also better for sporadic authentication use cases, like password recovery codes, which are easier to forget over time. 
2. Enhanced security strength
   Cryptographically, security strength can be measured in terms of entropy (randomness). Passwords are limited by their length; for instance, a 15-character password using 64 possible symbols reaches 90 bits of entropy. However, an image with 200×200 pixels can achieve over 40,000 bits of entropy, far surpassing typical passwords and meeting NIST’s 128 to 256-bit entropy recommendations without added complexity. 
3. Reduced password fatigue
   Secrets Vault’s cryptographic scheme does not alter the image used for authentication, meaning users can use the same image repeatedly for secure access without managing multiple versions. A second factor, like a PIN or pattern, can further complement the image authentication process across various platforms, ensuring each one has unique authentication credentials. 

You might also like: Steganography: The art of concealing messages in plain sight

Images as an alternative to passwords

While NIST’s updated guidelines improve password usability, they still impose security strength requirements that create challenges for users. Using images as an alternative to passwords provides a solution that is easier to remember, inherently secure, and future-proof, achieving NIST’s security goals in a user-friendly way.