What Are the NIST Password Guidelines?

What Are the NIST Password Guidelines


Are you confident you know how to create a secure NIST password in 2024? Ensuring your company’s users and employees craft strong passwords is crucial to safeguarding sensitive information, maintaining private communications, and protecting the company’s reputation from cyberattacks.

The National Institute of Standards and Technology (NIST) frequently updates its Digital Identity Guidelines, including password creation and secret management recommendations. Understanding and implementing these NIST standards is essential for your company. Read on to learn more about these guidelines and their importance.

Why Is Password Security So Important?

Password cracking attacks continue to be a significant threat, with passwords being one of the most vulnerable entry points for hackers. When attackers gain access to valid passwords and user credentials, they can penetrate systems and potentially elevate their privileges to an administrator or superuser level, causing extensive damage to an organization’s security, reputation, and financial stability.

Adhering to the NIST password guidelines helps businesses protect their information security assets, meet compliance requirements, and implement best practices recognized in the US and globally.

NIST Password Guideline Standards

First released in 2017 to comply with the Federal Information Security Modernization Act of 2014 for federal agencies and updated most recently in 2020, the NIST Password Guideline Standards are detailed in NIST Special Publication (SP) 800-63B, part of the Digital Identity Guidelines document suite. NIST emphasizes the strength of passwords and the behaviors of individuals creating them. This focus enables NIST to provide well-informed recommendations on password creation, authentication, implementation, storage, and updates.

1. Enable ‘Show Password’

The chances of someone behind you recording your password as you type are quite slim, making it unnecessary to conceal your password during entry. In fact, hiding the characters can increase the likelihood of typing errors, which might lead you to believe you’ve forgotten your password. This mistake can result in data exposure each time you reset your password.

2. Use a Password Manager for Increased Password Strength

NIST advises companies to utilize password managers to help employees and stakeholders encrypt and generate robust passwords. Whether securing your own servers or those of your clients, reducing human error is essential. Providing users with a password manager ensures they can generate long, strong passwords and passphrases automatically.

Studies indicate that user behavior significantly impacts password security. Many individuals tend to reuse passwords instead of creating new ones based on security guidelines. Reusing the same password across multiple systems increases vulnerability. Supplying employees with a password manager and proper training encourages them to use unique passwords for each system and helps them remember their credentials.


Adhering to the NIST password guidelines helps businesses protect their information security assets


3. Securely Store Passwords with Salting and Hashing

NIST recommends organizations remove user-generated passwords from their servers immediately upon creation, using a zero-knowledge password protocol or zeroization. They advocate for “hashing” and “salting” passwords. Hashing converts a plain-text password into a fixed-length string, known as a password hash, which appears as gibberish. This method ensures that if a hacker gains access to the password database, they only retrieve a list of hashes, which takes much longer to crack, giving the organization more time to respond. Salting adds extra data to passwords before they are hashed, further enhancing security.

Ensure you employ modern, secure salting and hashing methods, as older algorithms may no longer provide adequate protection.

4. Lock After Multiple Attempts

NIST recommends locking a user out of password-protected programs after several incorrect password attempts. Section 5.22 of Special Publication NIST 800-63B outlines guidelines for “rate-limiting” authentication attempts, allowing no more than 100 password attempts. For enhanced security, most organizations set limits well below this threshold and incorporate strategies such as enforced waiting periods before retrying. Additionally, businesses can use CAPTCHAs and IP address “permit” lists (also known as “whitelists”) to prevent bot-based attacks.

5. Employ Two-Factor Authentication or Multi-Factor Authentication

Two-factor (2FA) or multi-factor authentication (MFA) requires users to verify their identity using two or more authentication methods. One of these methods can be a password—something you know. Another factor, such as a code sent via SMS to your phone or generated by a TOTP authenticator app—something you have—significantly reduces the risk that a password breach alone could compromise a business or user account. Physical security keys, like Yubikey products, also serve as a “something you have” factor. While biometrics—something you are—can be another factor, NIST’s 2020 updates recommend using biometrics in a limited capacity for authentication.

NIST’s recommendation to incorporate MFA into password policies and security processes is echoed by many third parties, auditors, and customers who now expect MFA as a standard measure to combat identity theft, cyber threats, and fraud.

Frequency of Password Changes

Contrary to popular belief and previous standards, NIST does not recommend frequent password changes. Regularly changing passwords often leads individuals to reuse old passwords with minor modifications, such as adding a number, letter, or special character. Professional hackers are aware of this practice and can easily predict these minor changes. Additionally, if a password has been compromised, its variations, even with added characters, are more vulnerable to future breaches.

NIST advises businesses to enforce password expiration and resets only when a compromise is known or every 365 days. This approach encourages users to create longer, more secure passwords that are harder to crack.


Frequency of Password Changes


NIST’s New Guidelines for Passwords

NIST SP-800-63 was first released in 2017 and has undergone multiple revisions. As of 2024, NIST has requested comments on their latest revision of 800-63 (Digital Identity Guidelines). In 2020, NIST updated their password guidelines to prioritize password length over complexity, recommend salting and hashing stored passwords, promote the use of MFA, and simplify adherence to password security policies for users. Additionally, organizations should not require employees to reset their passwords more than once per year and should monitor new passwords daily, checking them against lists of common and compromised passwords. NIST has also identified several authentication security threats, including password vulnerabilities, that businesses and industry professionals should be aware of

1. Reduce the Importance of Password Complexity

The new NIST password guidelines emphasize focusing on length rather than complexity when creating passwords. Interestingly, while complex passwords (incorporating special characters, uppercase and lowercase letters, and numbers) are often considered more secure, they can actually be more vulnerable to brute-force attacks due to predictable user behavior. NIST recommends a minimum password length of eight characters, but generally, the longer the password, the harder it is to crack.

2. Monitor New Passwords Automatically

Certain passwords are compromised even before they are chosen. It’s crucial to ensure that new passwords are not only strong, lengthy, and complex but also not included in lists of commonly used and easily compromised passwords. It’s not just sequential strings like “123456” or common words like “password” that are commonly compromised.

3. Threats to Authentication

Passwords are the first line of defense for users and organizations in terms of authentication and breached passwords continue to be a prevalent cybersecurity threat. By recognizing the authentication threats highlighted by NIST, organizations can more effectively identify and address the security risks relevant to them.

4. Eliminate Password Hints

NIST’s 800-63B publication prohibits the use of password hints that could assist users in recalling their passwords. This restriction aims to prevent knowledgeable hackers from gaining valuable insights into an account’s password.


NIST Password Recommendations


NIST Password Recommendations

NIST offers several recommendations that, while not mandatory, are considered best practices. These practices enhance user experience and minimize the risk of human error, which makes individuals vulnerable to cyberattacks.

The recommendations include:

  • setting the maximum password length at 64 characters
  • not mandating the use of special characters in passwords
  • enabling copy-and-paste functions in password fields to allow effective use of password managers
  • permitting ASCII and Unicode characters in passwords
  • employing a secure password manager

NIST Guidelines for Compromised Passwords

As previously mentioned, NIST recommends changing passwords immediately upon discovering they are compromised. Additionally, organizations should screen new passwords, preferably automatically. This screening should compare new passwords against lists of breached, commonly used, and weak passwords to prevent their use for user accounts. In this scenario, your IT team can employ tools similar to those used by hackers to prevent cybersecurity breaches. Hackers often use dictionary words, password lists containing commonly used passwords, context-specific words (such as the company or service name), previously breached password lists, and hash tables to identify patterns in your company’s user data. Employing these same techniques can help filter out compromised or compromised passwords before hackers can exploit them.

Need Help Implementing NIST Password Guidelines for Your Business?

If you’re unsure how to implement NIST’s password guidelines for your business, you’re not alone. Balancing cybersecurity and regulatory compliance can be challenging. However, NIST emphasizes that strong security should enhance, not hinder, your progress.

At RedGlow Cyber, we offer vCISO services to provide expert guidance in aligning your systems with the latest cybersecurity standards. We understand the complexities involved and can help simplify the process while ensuring your business follows best practices and maintains a secure IT infrastructure. Contact us now!