Lepide Blog: A Guide to IT Security, Compliance and IT Operations

NIST Password Guidelines

NIST Password Guidelines

The National Institute of Standards and Technology (NIST) is a non-regulatory government agency in the United States, that produce standards and guidelines to help federal agencies meet the requirements of the Federal Information Security Management Act (FISMA).

The NIST password guidelines, as you might expect, provide recommendations for how passwords are created, verified, and handled. The guidelines are not enforced, although many companies choose to follow them in order to strengthen their security posture and comply with the relevant data privacy regulations.

Revision 3, the current revision of the NIST password guidelines, was released in 2017 and updated in 2019. Revision 3 introduced a number of changes relating to the strict complexity requirements that were detailed in previous revisions.

To put it simply, when passwords become too complex, users find other ways to inadvertently compromise password security in order to help them to remember their passwords, which is counter-productive. For example, they might start writing their passwords down on post-it notes, or reusing them, with, perhaps, a few alterations, etc.

NIST Password Guidelines

Following NIST password guidelines will help organizations protect themselves against brute force attacks, dictionary attacks, credential stuffing, and more. Below are some of the most notable changes made in the 3rd revision of the NIST password guidelines:

1. Password Length

The strict password complexity requirements have been removed in revision 3, as they were seen as being counter-productive. Under the new revision, user-created passwords should be at least 8 characters in length, and machine-generated passwords should be at least 6 characters in length.

Organizations should also allow for passwords that are as big as 64 characters in length. To improve password security, we recommend allowing passwords with a minimum of 64 characters. This longer password length enables users to create unique passphrases, which can be easier to remember due to their complexity and meaning. While 64-character passwords can offer a higher level of security, it’s still important for users to be mindful of the characteristics cautioned against in the next rule.

2. Password Processing

Organizations should stop truncating passwords, and all passwords should be hashed and salted, with the full password hash stored. Users should be allowed to enter their password at least 10 times before getting locked out.

3. Accepted Characters

All ASCII characters are permissible, including the space character. Unicode characters, such as emojis, are also acceptable. Users should be prevented from using obvious patterns, such as sequential numbers or repeated characters.

4. Commonly Used Words

Users should not use commonly used words in their passwords. Likewise, they should be discouraged from using words and phrases that are context-specific.

5. Breached passwords

Organizations should check passwords against a list of previously breached passwords. There is a service called Have I Been Pwned? which contains a list of 570+ million passwords, which have been used in real-life breaches. When users try to create a password that is on the list, they should be prompted to enter a different password.

6. Password Expiration

According to both NIST and Microsoft, password expiration policies are no longer necessary. It has been suggested that forcing users to periodically change their passwords may actually do more harm than good, as users become more likely to choose predictable passwords as they are easier to remember.

7. Password Hints

Password hints, or what some refer to as Knowledge-based Authentication (KBA), are now discouraged by the NIST guidelines. For example, a password hint such as “What was the name of your first pet?”, could be fairly easy for an attacker to guess, especially if they did some research beforehand.

8. Password Managers

It’s often the case where users use password managers to help them remember their passwords. However, some password fields don’t allow users to paste their passwords. Under the new NIST guidelines, login forms should allow users to paste passwords.

9. Two Factor Authentication (2FA)

When using 2FA, organizations should use an authenticator app, such as Google Authenticator or Okta Verify, as opposed to SMS, as it is no longer seen as a secure method of verification.

10. Feedback following rejected passwords

Providing clear and actionable feedback to users when their passwords are rejected is crucial for handling user passwords effectively. This can be achieved by implementing password-strength meters, limiting the number of password attempts, and allowing users to see their actual password rather than just asterisks. When a user’s password attempt doesn’t meet the desired standards, it is essential to provide feedback that explains which specific rule the password failed to meet. This kind of feedback helps users understand what they need to improve, ultimately enabling them to create stronger passwords that protect their account and your database. By providing such feedback, you can empower users to create more secure passwords, promoting a safer online environment.

11. Secure Password Storage

Protecting password storage is crucial in today’s digital landscape. Password breaches are surprisingly common, and it’s essential to take measures to prevent them. In fact, the National Institute of Standards and Technology (NIST) recommends a proactive approach to secure password storage. This involves salting and hashing password information, as well as using a suitable one-way key derivation function, as outlined in SP 800-63B Section 5.1.1.2. By taking these steps, organizations can safeguard their data from offline attacks and ensure the integrity of their password storage.

If you’d like to see how the Lepide can help you with NIST and password security, schedule a demo with one of our engineers today.