NIST-recommended guidelines for passwords

Weak passwords and bad password management habits continue to be significant cybersecurity threats, jeopardizing the integrity of critical data and systems. Recognizing this risk, the National Institute of Standards and Technology (NIST) developed standards and best practices for password creation and management. By following the NIST guidelines, users can significantly improve password strength and cybersecurity.

What is NIST?

NIST is a US government agency that develops metrics, measurements, and regulations (such as the Federal Information Processing Standard) to bolster the reliability and security of new technologies, including information technology. As such, federal agencies are mandated to follow NIST standards when handling sensitive data.

Though private organizations are not required to meet these standards, NIST’s recommendations are still a valuable rubric to evaluate the security of their own systems. Furthermore, because NIST guidelines are internationally recognized, you can foster trust in your organization by adopting them.

NIST recommendations

The last significant update to the NIST’s password guidelines was published in 2020 as part of NIST Special Publication 800-63B, with very few notable changes since. While the document itself is quite dense in its language and phrasing, its recommendations regarding passwords can be broken down into the following:

Favor length over complexity
NIST’s current guidelines prioritize password length over intricate character combinations as had been suggested in previous NIST publications. Now, their standards require user-created passwords to be at least eight characters long, while program-generated ones (such as with a password generator and keeper application) can be at minimum six characters long. The maximum length in either case is 64 characters.

All printable characters are allowed, including spaces, allowing the use of unique phrases. Furthermore, NIST strongly advises against the use of sequential numbers (such as “1234”) or repeated characters (such as “aaaa”) as these are heavily used and easily predicted.

Avoid commonly used passwords
To prevent cyberattacks, companies should actively discourage commonly used, compromised, or repeated passwords. Even strong, self-generated passwords can be risky if not checked against known breaches. Moreover, reusing credentials across accounts allows attackers to exploit a single breach for wider access.

Consider integrating software and tools that notify users when they create weak passwords or when weak passwords are generated for them. Additionally, companies should alert employees if their chosen password appears in a data breach and urge them to create a new one.

Abandon password hints
To enhance security, your organization’s password policy should eliminate password hints and knowledge-based authentication (KBA) questions such as “favorite movie” or “pet’s name.” In either case, such information can be easily obtained through social engineering tactics or simple surveillance of an employee’s social media accounts. Instead, you should leverage password reset and recovery processes that utilize multifactor authentication (MFA).

Implement MFA
As referenced above, you can strengthen your online security posture with MFA. This security solution adds a critical second layer of defense, mitigating unauthorized access even if your password is compromised. By requiring an additional verification factor, such as a temporary code sent to your mobile device or biometric verification, MFA makes it exponentially more difficult for cybercriminals to hack their way into your accounts.

Yearly password changes
Contrary to their stance prior to the 2020 publication, NIST now recommends only annual resets to maintain security rather than more frequent password changes. While the multiple-times-per-year practice seems intuitive, it can backfire because hackers can often predict minor variations used in frequent password updates. Instead, NIST suggests that you focus on creating strong, unique passwords and prioritize immediate changes only if a breach is suspected.

Place limits on password attempts
To thwart brute force attacks, NIST recommends limiting login attempts. Brute force attacks involve hackers systematically guessing password combinations, so by restricting attempts, you make it significantly harder for them to crack your password and gain unauthorized access.

Speak with one of our experts to learn more about password security and other ways you can safeguard your critical systems.

Facebook
Pinterest
Twitter
LinkedIn

Newsletter

Signup our newsletter to get update information, news, insight or promotions.