NIST Password Guidelines

Posted: August 23, 2024

Passwords have always been important to businesses, but many businesses aren't taking password management and security seriously. In this blog post, we will outline the United States’ National Institute of Standards and Technology (NIST) new password recommendations and standards.

NIST provides guidelines for password security in its Special Publication 800-63B: Digital Identity Guidelines – Authentication and Lifecycle Management. The key points of NIST’s latest password standards (as of 2020) include the following:

1. Password Length:

  • Minimum password length should be 8 characters.
  • Maximum password length should allow at least 64 characters.
  • Users should be allowed to use all special characters (spaces included) and be able to create passphrases.

2. Complexity:

  • NIST recommends avoiding mandatory complexity rules like requiring a mix of uppercase, lowercase, digits, and special characters. This is because it often leads to weaker passwords as users tend to choose simpler patterns.

3. Password Hints and Knowledge-based Authentication (KBA):

  • Password hints should be eliminated as they provide easy access to attackers.
  • Avoid knowledge-based authentication (e.g., security questions) since many answers can be guessed or easily found online.

4. Passwords Blacklisting:

  • Use of common passwords like "123456" or "password" should be blocked.
  • Also, block passwords that have been exposed in previous data breaches (via a password blacklist).

5. Password Expiration:

  • NIST discourages the use of password expiration policies that require periodic password changes unless there is evidence of a compromise.
  • Encourage password changes only if the user suspects or knows of a breach.

6. Password Storage:

  • Passwords must be stored using salted hashing techniques. Plaintext storage of passwords is not allowed.
  • PBKDF2, bcrypt, or scrypt are recommended for password hashing.

7. Rate Limiting:

  • Limit the number of failed login attempts to prevent brute-force attacks.
  • Implement additional safeguards like CAPTCHA after multiple failed attempts.

8. Multi-Factor Authentication (MFA):

  • NIST strongly recommends the use of Multi-Factor Authentication (MFA) as a secondary authentication method, especially for sensitive systems. MFA involves requiring users to authenticate using two or more factors or methods. One factor of authentication in this model can be a secret or password — something you know. Adding another factor, like a code received through SMS on your phone or using a TOTP authenticator app — something you have — reduces the risk that a password breach alone would compromise the business or a user’s account.

9. Use a Password Manager for Increased Password Strength

NIST suggests companies use a password manager to help their employees and stakeholders encrypt and generate strong passwords.

These guidelines emphasize usability, security, and practicality by recommending strong, user-friendly password policies. NIST standards might seem a little strange from a traditional password security standpoint, but they aim to make passwords more user-friendly while maintaining security. Does your small business need help with password management? Reach out to us!

Other Articles

Understanding the Dangers of a Man-in-the-Middle Attack
Recent studies are showing that more and more Canadian businesses are being targeted in cyberattacks. One specific threat of concern...
Businesses Thrive with Dedicated Proactive Maintenance
Managed IT service is a great way for the small business to save money on their IT support costs while...
How A Managed Service Provider can Simplify Inventory Management
IT inventory management is essential for a small business to keep track of hardware, software, and other digital assets. Effective...
Why Procure your Computers from an MSP?
In the current business environment, a computer is a necessity. However, it is important that businesses select the right ones....