Contrary to popular belief and prior standards, NIST does not suggest changing passwords on a frequent basis; individuals who are asked to change passwords frequently are much more likely to keep an old password and merely append a number, letter, or special character to the end of it. Professional hackers know this trick and are savvy enough to predict minor changes. If you have a data breach or you know your password has been compromised, then it is time for a password change; otherwise, an annual password reset is enough.
NIST 800-63 was originally released in 2017, but has gone through various iterations and is constantly being revised. As of 2021, NIST has added suggestions that users focus on password length over complexity, with an emphasis on ensuring passwords are adequately hashed and salted. Additionally, organizations should not require their employees to reset their password more than once per year, and that they should monitor new passwords on a daily basis, testing them against lists of common and compromised passwords.
You’re likely familiar with the idea that updating one’s password will make it less likely to predict and crack. However, when we look at how people actually update their passwords, they often make simple changes to old passwords — familiar passwords are easier to remember, after all. Many people merely change one character, add a number or letter to their existing password to make it through an update. Ultimately, these updates make a password less secure and much easier to predict if the old password is known to a hacker.
New NIST password guidelines say you should focus on length, as opposed to complexity when designing a password. Paradoxically, using complex passwords (adding special characters, capitalization, and numbers) may make it easier to hack your code, and this mostly has to do with user behavior. Complex passwords are harder to remember, which means users may need to update their passwords more often, making minor changes, which makes them easier prey for cyber attacks. NIST requires an 8-character minimum for passwords.
Some passwords are compromised even before they are created; ensure that new passwords are not just strong, long, and complex, but they are not on lists of commonly used, easily compromised passwords — sequential strings like “123456” and common words like “password” aren’t the only commonly compromised passwords.
NIST has a few recommendations that aren’t strict requirements, but definitely count as best practices, because they ease user-burden and they reduce the chance that human error will make you easy prey for a cyberattack: 1) set the maximum password length 64 characters, 2) don’t require users to select special characters in their passwords, 3) allow copy-and-paste functions in your password fields, because this reduces the time needed for multi-factor authentication and allows password managers to work, 4) allow emojis, ASCII, and Unicode characters in your passwords, 5) utilize a secure password manager.
As discussed above, NIST suggests you change passwords as soon as you know they are compromised; moreover, your organization should be screening new passwords daily against lists of previously compromised data. In this case, your IT team can use the same tools that hackers use — just in this case, you’re using them to determine how to prevent cybersecurity breaches. Hackers regularly use dictionaries, password lists that sift through commonly used passwords, and hash tables to find patterns across your company’s user data. You can use them to help you filter out compromised (or compromisable) passwords before hackers get the chance.
NIST password guidelines are updated regularly, they change with our ever-changing cyber landscape, and are the gold standard for securing your company’s sensitive information and creating a strong information security program. To ensure that you are compliant, that your staff and stakeholders understand effective password creation, that you have systems in place to detect compromised passwords, and that your servers are guarded against attack, you might want to automate the process. AuditBoard’s compliance management software will help you navigate the changing NIST requirements to enable your organization to stay in compliance.