NIST Password Guidelines: The New Requirements You Need to Know

NIST Password Guidelines: The New Requirements You Need to Know

What does it take to create a secure password? How can you ensure that your users and employees are creating passwords that will protect their confidential data, keep communications secure, and prevent cyberattacks from damaging your bottom line? The National Institute for Standards in Technology takes their study of passwords seriously, and regularly updates their guidelines for best practices in password creation and implementation. Read on to learn more about NIST password guidelines and why NIST standards are important for your company. 

What Is a NIST Password?

A NIST password is a password that meets the regulations set out by the National Institution for Standards in Technology’s Digital Identity Guidelines. Passwords that comply with NIST password guidelines will be tough to crack and easy to use. NIST regularly studies and updates their guide to password creation, storage, and use. 

The InfoSec Survival Guide: Achieving Continuous Compliance

What Are the NIST Password Guideline Standards? 

Originally published in 2017 and updated in 2020, NIST Password Guideline Standards are laid out in NIST Special Publication 800-63B and are part of the NIST’s digital identity guidelines. NIST has not only focused on the qualities of the password, but the behaviors of the people who create those passwords, to offer recommendations for how to create, authenticate, implement, store, and update passwords over time. Here’s a synopsis: 

1. Enable Show Password  

It’s unlikely that the person behind you is going to record your password data, so there’s little reason to hide your password as you type. You’re more likely to make mistakes in typing if you can’t see the characters, and mistakenly think you’ve forgotten your password. This error leads to potential data exposure every time you need to reset your password. 

2. Use a Password Manager

NIST suggests that companies use a password manager to help their employees and stakeholders encrypt and generate strong passwords. Even if you’re securing your own servers, you will want to help reduce human error by giving your users access to a password manager, which will automatically generate long, strong passwords and passphrases for them. 

3. Store Securely 

NIST requires that organizations remove the user-generated password from their server as soon as it is created, either using a zero-knowledge password protocol or zeroization. They also suggest “hashing” and “salting” stored passwords. NIST defines a hash as “a function that maps a bit string of arbitrary length to a fixed-length bit string.” Using hashes to store password data will ensure that you never expose a database of passwords to a hacker; instead, they’d get a list of hashes that would take much longer to crack and give you more time to recuperate. Salting adds unique markers to each password, so that two people with the same password (say, a default password) are assigned two distinct hashes. 

4. Lock After Multiple Attempts

NIST suggests locking a user out of password-protected programs if they use an incorrect password multiple times; per Section 5.22 of Special Publication NIST 800-63b, which provides guidelines for “rate-limiting” on authentication attempts, the verifier (that’s you) should allow no more than 100 attempts to input a password. However, most good programs limit far before that threshold, and also use strategies like making a user wait a period of time before attempting to sign on again. 

5. Employ Two-Factor Authentication 

Two-factor or multi-factor authentication requires that someone entering their password authenticates their login from another device or through a code sent to an alternate location (email or text, for example), or with another form of data (fingerprint, face scan, etc.). 

How Often Should You Change Your NIST Password?

Contrary to popular belief and prior standards, NIST does not suggest changing passwords on a frequent basis; individuals who are asked to change passwords frequently are much more likely to keep an old password and merely append a number, letter, or special character to the end of it. Professional hackers know this trick and are savvy enough to predict minor changes. If you have a data breach or you know your password has been compromised, then it is time for a password change; otherwise, an annual password reset is enough.  

What Are the New NIST Password Requirements? 

NIST 800-63 was originally released in 2017, but has gone through various iterations and is constantly being revised. As of 2021, NIST has added suggestions that users focus on password length over complexity, with an emphasis on ensuring passwords are adequately hashed and salted. Additionally, organizations should not require their employees to reset their password more than once per year, and that they should monitor new passwords on a daily basis, testing them against lists of common and compromised passwords. 

1. Don’t require period password resets

You’re likely familiar with the idea that updating one’s password will make it less likely to predict and crack. However, when we look at how people actually update their passwords, they often make simple changes to old passwords — familiar passwords are easier to remember, after all. Many people merely change one character, add a number or letter to their existing password to make it through an update. Ultimately, these updates make a password less secure and much easier to predict if the old password is known to a hacker. 

2. Don’t focus on password complexity

New NIST password guidelines say you should focus on length, as opposed to complexity when designing a password. Paradoxically, using complex passwords (adding special characters, capitalization, and numbers) may make it easier to hack your code, and this mostly has to do with user behavior. Complex passwords are harder to remember, which means users may need to update their passwords more often, making minor changes, which makes them easier prey for cyber attacks. NIST requires an 8-character minimum for passwords. 

3. Monitor New Passwords Daily

Some passwords are compromised even before they are created; ensure that new passwords are not just strong, long, and complex, but they are not on lists of commonly used, easily compromised passwords — sequential strings like “123456” and common words like “password” aren’t the only commonly compromised passwords.

What Are the NIST Password Recommendations?

NIST has a few recommendations that aren’t strict requirements, but definitely count as best practices, because they ease user-burden and they reduce the chance that human error will make you easy prey for a cyberattack: 1) set the maximum password length 64 characters, 2) don’t require users to select special characters in their passwords, 3) allow copy-and-paste functions in your password fields, because this reduces the time needed for multi-factor authentication and allows password managers to work, 4) allow emojis, ASCII, and Unicode characters in your passwords, 5) utilize a secure password manager.

What Are NIST Guidelines for Compromised Passwords?

As discussed above, NIST suggests you change passwords as soon as you know they are compromised; moreover, your organization should be screening new passwords daily against lists of previously compromised data. In this case, your IT team can use the same tools that hackers use — just in this case, you’re using them to determine how to prevent cybersecurity breaches. Hackers regularly use dictionaries, password lists that sift through commonly used passwords, and hash tables to find patterns across your company’s user data. You can use them to help you filter out compromised (or compromisable) passwords before hackers get the chance. 

NIST Password Takeaways 

NIST password guidelines are updated regularly, they change with our ever-changing cyber landscape, and are the gold standard for securing your company’s sensitive information and creating a strong information security program. To ensure that you are compliant, that your staff and stakeholders understand effective password creation, that you have systems in place to detect compromised passwords, and that your servers are guarded against attack, you might want to automate the process. AuditBoard’s compliance management software will help you navigate the changing NIST requirements to enable your organization to stay in compliance.

Related Articles