Press Release


 ISACA: New NIST Password Guidance Provides Important Updates, But Survey Shows It Will Take Time to Implement 

Rolling Meadows, IL, USA (31 August 2017) – New computing password guidance from National Institute of Standards and Technology (NIST) will make for more secure and easier-to-remember passwords, but ISACA research shows it will take time to raise awareness and implement, particularly in mainframe environments.

NIST announced new password and multifactor authentication guidance in June, amending prior guidance and including different approaches for password management, complexity, length and other parameters. The guidance challenges conventional wisdom that more complex and frequently reset passwords are more robust and resilient than alternative password characteristics, such as a sentence or phrase.

Global business technology association ISACA conducted a pulse poll in response to this fundamental shift in how NIST recommends passwords be secured and learned more about what practitioners are saying about the changes. More than half of respondents (54%) had not yet seen the recently released NIST password guidance, and the majority were not yet certain on their enterprises’ timetables for implementation.

“This survey was conducted shortly after the guidance was announced, so we expect the numbers to shift dramatically as more organizations become aware of and commit to these important recommendations,” said Rob Clyde, CISM, vice-chair of ISACA’s board of directors and managing director of Clyde Consulting LLC. “ISACA recommends that security and assurance professionals review these new guidelines and make appropriate updates to their password policies and audit requirements. Updates like this highlight the importance of ensuring that enterprises have a process for implementing new security policies and audit requirements, both regularly and as warranted by special circumstances such as this new NIST guidance.”

“This update is the result of a year-long public/private development effort,” said Paul Grassi, Senior Standards and Technology Advisor at NIST. “We are extremely excited that innovation in the marketplace allowed us to comfortably require multifactor authentication for a range of federal systems, especially those that make personal data available.”

On the subject of password creation, Grassi said that NIST had a great deal of data revealing that users did predictable things when asked to include special characters and other composition rules, and incorporated this data into the guidance.

“While we retained the original cryptographic integrity of our password requirements, we adjusted the rules to account for end-user habits and to make passwords easier to remember, but harder for adversaries to break,” he said.

ISACA’s poll also looked at password updates as it relates to the mainframe environment. While security controls are comparable in rigor to other environments, data stored in and business based on mainframes are of both higher criticality and sensitivity relative to other environments. Personnel employed to perform mainframe audits receive only moderate training in technical mainframe skills, with only 21% of poll respondents indicating auditors in their environment receive mainframe-specific technical training at least annually.

“ISACA commits to helping practitioners and their organizations understand more about this promising guidance, and how to implement it practically and effectively,” said Clyde.

One such piece of guidance is Clyde’s ISACA Now blog post. View full survey analysis.

Survey Methodology

ISACA compiled data from 1,426 responses to the online pulse poll conducted 9-13 August 2017. Participants were audit and security professionals in organizations with at least 5,000 employees. Survey respondents were contacted via email; the survey instrument was open for just over four days, with a margin of error of 2.4 percentage points. 



Nearing its 50th year, ISACA ( is a global association helping individuals and enterprises achieve the positive potential of technology. Today’s world is powered by technology, and ISACA equips professionals with the knowledge, credentials, education and community to advance their careers and transform their organizations. ISACA leverages the expertise of its half-million engaged professionals in information and cyber security, governance, assurance, risk and innovation, as well as its enterprise performance subsidiary, CMMI Institute, to help advance innovation through technology. ISACA has a presence in more than 188 countries, including more than 215 chapters and offices in both the United States and China.




Michelle Micor, +1 .847. 385.7217,
Kristen Kessinger, +1.847.660.5512,