NIST Password Best Practices

Posted: March 27, 2024

When a hacker tries to access one of your accounts, the first challenge they must overcome is the password. This is why industry professionals always encourage you to create them with security in mind. The latest guidelines issued by the National Institute of Standards and Technology (NIST) give valuable insights into how to create more secure passwords.

What is the NIST?

The NIST Cybersecurity Framework (CSF) is a set of guidelines, best practices, standards, and recommendations designed to help organizations manage and improve their cybersecurity posture. It was developed by the NIST is a non-regulatory agency of the United States Department of Commerce. Most Managed Service Providers adhere to standards laid out in NIST to help keep businesses secure.

Here are the latest steps to take when building a secure password:

Length Over Complexity

Most security professionals have advocated for password complexity over the past several years, but the guidelines issued by NIST disagree. NIST suggests that the longer the password, the harder it is to decrypt, and they even go so far as to say that complex passwords with numbers, symbols, and upper and lower-case letters make passwords even less secure.

The reasoning for this is that the user might make passwords too complicated, leading them to forget them entirely, so when it comes time to replace the password, they will add a “1” or an exclamation point at the end. This makes them easier to predict should the original password be stolen. Users might also be tempted to use the same password for multiple accounts, which is a whole other issue that certainly does not aid in security.

Instead of complexity requirements, NIST recommends enforcing a minimum length for passwords. This encourages the use of longer passphrases which are easier for users to remember and harder for attackers to crack.

No More Password Resets

Many organizations require their staff to periodically change their passwords, mostly every month or every few months. The idea here is to preemptively change passwords on the off chance that the old passwords have been compromised. Trying to use the same old password multiple times would then lock the hacker out of the account, as the password has since been changed. While this has been an accepted best practice for some time, NIST recommends that this practice be put to the wayside, as it is actually counterproductive to account security.

The reasoning behind this determination is that people will not be as careful with the password creation process if they are always making new ones. Plus, when people do change their passwords, they will use the same pattern to remember them. This means that passwords could potentially be compromised even if they have been changed, as a hacker could recognize the pattern and use it against the user.

Checking Against Commonly Used Passwords

NIST recommends checking proposed passwords against a list of commonly used or compromised passwords and rejecting those that match.

Don’t Give Out Password Hints

At the same time, you don’t want to make things too easy for your employees, either. One way that administrators help out employees who easily forget passwords is by providing password hints. The system itself is flawed, especially in today’s society of oversharing information across social media and the Internet in general. If Sally makes her password based around the name of her dog, for example, the hacker might be able to find that information on her social media page, then can try variations of that name until the code is cracked. So, in the interest of network security, it’s better to just forego these hints. There are other ways to make your password system easier to deal with that don’t compromise security.

Limit Password Attempts

When you place a limit on password attempts for your business, what you are essentially doing is giving hackers a limited number of chances to get lucky. NIST suggests that most employees will fall into one of two categories in regard to password remembrance; either they will remember it, or they will keep it stored somewhere (hopefully in a password management system). Thus, if an employee is likely to do one or the other, a limit on password attempts will not necessarily impact them but will make all the difference against security threats.

Implement Multifactor Authentication

NIST encourages the use of multifactor authentication factors (e.g., something you know, something you have, something you are) for stronger authentication.

Secure Transmission and Storage

Passwords must be transmitted and stored securely, using appropriate encryption and hashing techniques.

These guidelines aimed to provide a more flexible and user-friendly approach to password security while still maintaining a high level of security. However, it's essential to check for any updates or revisions to these guidelines on the official NIST website or work with a Managed IT Service Provider, as best practices in cybersecurity evolve over time.

Make password security a priority for your organization now so that you don’t have to worry about data breaches later on down the road. Digital Sky Solutions can help you set up a password manager that makes adhering to these best practices easier. To learn more, reach out to us.

Other Articles

What is Managed Detection and Response?
Managed Detection and Response (MDR) is a cybersecurity service that provides organizations with advanced tools, expertise, and proactive monitoring to...
Improve your Security with a Password Manager
“Open sesame!” If only the passwords that were required of us every day could be so simple, right? But no,...
Differentiating Between Compliance and Security
Security and compliance are related but each has to be approached differently. More and more Canadian businesses require help navigating...
Is Your Business Leaking Data?
Take a moment and consider the data that you have collected during your business’ operations. How valuable is it to...