NIST Password Guidelines
Passwords have always been important to businesses, but many businesses aren't taking password management and security seriously. In this blog post, we will outline the United States’ National Institute of Standards and Technology (NIST) new password recommendations and standards.
NIST provides guidelines for password security in its Special Publication 800-63B: Digital Identity Guidelines – Authentication and Lifecycle Management. The key points of NIST’s latest password standards (as of 2020) include the following:
1. Password Length:
- Minimum password length should be 8 characters.
- Maximum password length should allow at least 64 characters.
- Users should be allowed to use all special characters (spaces included) and be able to create passphrases.
2. Complexity:
- NIST recommends avoiding mandatory complexity rules like requiring a mix of uppercase, lowercase, digits, and special characters. This is because it often leads to weaker passwords as users tend to choose simpler patterns.
3. Password Hints and Knowledge-based Authentication (KBA):
- Password hints should be eliminated as they provide easy access to attackers.
- Avoid knowledge-based authentication (e.g., security questions) since many answers can be guessed or easily found online.
4. Passwords Blacklisting:
- Use of common passwords like "123456" or "password" should be blocked.
- Also, block passwords that have been exposed in previous data breaches (via a password blacklist).
5. Password Expiration:
- NIST discourages the use of password expiration policies that require periodic password changes unless there is evidence of a compromise.
- Encourage password changes only if the user suspects or knows of a breach.
6. Password Storage:
- Passwords must be stored using salted hashing techniques. Plaintext storage of passwords is not allowed.
- PBKDF2, bcrypt, or scrypt are recommended for password hashing.
7. Rate Limiting:
- Limit the number of failed login attempts to prevent brute-force attacks.
- Implement additional safeguards like CAPTCHA after multiple failed attempts.
8. Multi-Factor Authentication (MFA):
- NIST strongly recommends the use of Multi-Factor Authentication (MFA) as a secondary authentication method, especially for sensitive systems. MFA involves requiring users to authenticate using two or more factors or methods. One factor of authentication in this model can be a secret or password — something you know. Adding another factor, like a code received through SMS on your phone or using a TOTP authenticator app — something you have — reduces the risk that a password breach alone would compromise the business or a user’s account.
9. Use a Password Manager for Increased Password Strength
NIST suggests companies use a password manager to help their employees and stakeholders encrypt and generate strong passwords.
These guidelines emphasize usability, security, and practicality by recommending strong, user-friendly password policies. NIST standards might seem a little strange from a traditional password security standpoint, but they aim to make passwords more user-friendly while maintaining security. Does your small business need help with password management? Reach out to us!