NIST Password Best Practices: 2024

Why is Password Security Important?

Passwords, unfortunately, stand as one of the most susceptible targets for hackers. When threat actors successfully acquire valid passwords and user credentials, they gain entry into systems, with the potential to escalate their privileges to administrator or superuser levels. This intrusion can lead to widespread disruptions in an organization’s security, tarnish its reputation, and impact its financial well-being.

According to Astra the following is a list of the 5 most used passwords in 2023:

1. 123456
2. 123456789
3. qwerty
4. password
5. 12345

To mitigate such risks, businesses are strongly advised to embrace the NIST password guidelines. This proactive stance serves as a strong defense, safeguarding sensitive data and enhancing the overall resilience of the organization in the face of evolving cyber threats.

What is a NIST Password?

A NIST password is a more secure form of login credentials that meets certain requirements set by the National Institute of Standard and Technology (NIST). The security standards set by NIST are complex and often involve additional steps, such as providing distinct types of information or using two-factor authentication. Though these guidelines may seem daunting and time-consuming, they provide an extra layer of encryption to protect user data from unauthorized access. NIST passwords are difficult to memorize but they are worth the effort given their level of protection against online security threats. NIST passwords are a safe way for organizations to ensure their online infrastructure remains secure.

NIST Password Guidelines for 2024

The most recent NIST Password Guideline Guidelines are explained in the NIST Special Publication 800-63B Digital Identity Guidelines. These requirements focus primarily on the quality of the password and placement recommendations on how to: generate, use, store, verify and enhance passwords overall. Below are five guidelines you should follow if you are looking to implement NIST password guidelines.

1. Check passwords

The length of a password is far more important than intricate passwords. The NIST advises a password policy that requires all user-created passwords to have at least the length of eight, and all auto-generated passwords to be at least six characters in length. Furthermore, it is recommended that the maximum length of a password should only be sixty-four characters. Every ASCII (American Standard Code for Information Interchange) character, including the space character, should be used in all NIST passwords. Furthermore, internet users should not be using consecutive characters (e.g., “5678”) or recurring characters (e.g., “bbbb”).

2. Screen passwords against commonly used and breach password lists

Passwords which are known to be frequently used or compromised should be prohibited. Recently established passwords need to be checked to make sure they are not compromised. Even, if a user generates a complex password, it can still expose the user to cyber-attacks if not checked. Credential duplication enhances a hacker’s chances of getting access to additional user accounts which can result in a breach of confidential information. When a user tries to use a password that is incorrect, a message should appear asking them for a different password and providing an explanation as to why their previous password was denied. Companies need to alert employees whenever they set a password that is accessible in a breached passwords list.

3.Utilize at least Two-Factor Authentication

Two-Factor Authentication (2FA) is an important cybersecurity tool that provides an additional layer of protection for online accounts. By using two separate forms of authentication, it becomes much more difficult for hackers to access sensitive information even if they have stolen passwords. Two-factor authentication requires the user to provide additional evidence such as a code received via SMS or biometric scanning such as fingerprints or voice recognition. Thanks to the added layer of security provided by two-factor authentication, users can enjoy peace of mind knowing their valuable information is safe from malicious attacks.

Find out which MFA method is best for your business.

4. Remove hints or knowledge-based authentication (KBA)

Companies should never allow employees or internet users to request a password hint. Instead, recommend ways to confirm their identity and reset their password, like using Two-Factor Authentication. The NIST also recommends not using knowledge-based authentication (KBA), such as questions like “What town were you born in?”

5. Use A Password Manager

The NIST requires that companies remove the user-generated password from their server as soon as it is created, using a zero-knowledge password protocol. Although the NIST does not explicitly recommend their use, they encourage companies to permit a copy-paste functionality to accommodate password managers. Moreover, when using a password manager, it is important to having an option to ‘show password.’ The benefit to this feature is not having to re-enter all the password characters. By not permitting the ‘show password’ option deters people from creating longer complex passwords.

How Often Should You Change Your Password?

The National Institute of Standards and Technology (NIST) does not recommend changing your password on a frequent basis, as it can lead to individuals making minor changes (such as appending numbers or characters to the end of their passwords). Rather, NIST suggests that passwords should be reset once a year in order to maintain digital security. This is because professional hackers are often able to predict simple changes and easily guess modified passwords.

If there has been a data breach, or you suspect that your password has been compromised, then it is important for you to change your password right away. If this happens, then make sure that the new password is strong and secure, so as not to fall prey to further attacks. In general, NIST recommends that passwords are only changed once a year unless there is an immediate threat or if the user suspects their password has been compromised in some way. Changing your password more frequently than necessary can actually have a negative effect on security since users may use simple variations of the same password over time instead of creating stronger ones with each resetting period.

NIST Guidelines for Compromised Passwords

As discussed above, NIST suggests you change passwords as soon as you know they are compromised. To safeguard user accounts, it is imperative to assess newly created passwords against databases containing compromised, frequently used, and weak passwords. Hackers routinely employ dictionaries, password lists with commonly used variations, and context-specific terms (like the company or service name). Additionally, they reference previously breached password lists and hash tables to discern patterns within your organization’s user data. Leveraging these very techniques can enable you to preemptively identify and filter out compromised or vulnerable or susceptible passwords, preventing hackers from exploiting vulnerabilities.

Need Help Implementing NIST Password Guidelines for Your Business?

NIST password guidelines are updated regularly and have gone through several iterations, as they change with our ever-shifting cyber landscape. NIST password guidelines are the gold standard for securing your company’s sensitive information and creating a strong information security program. The NIST password recommendations emphasize randomization, lengthiness, and secure storage.  Although, requirements are clear, implementing and maintaining them for a business is difficult. If your business struggles to maintain password guidelines you need an expert IT team, stringent procedures, and the IT infrastructure to support it.  At PSM, we offer managed IT security services in which we will take over the implementation, maintenance, and monitoring of your cybersecurity.

We offer the following cybersecurity services:

• Advanced A/V with EDR
• Multi Factor Authentication
• Spam and Phishing Protection
• Web Security and DNS Protection
• Intrusion Prevention System
• UTM/NGFW Firewall
• Endpoint Detection and Response
• Security Operations Center
• Intrusion Detection System
• Data Loss Prevention
• Vulnerability Scanning
• SIEM Log Collection
• Risk Assessment and Gap Analysis
• Patch Management
• Cyber defense
• Network Security

Contact us at (312) 940-7830 to work with our experts today to learn how you can implement these NIST password guidelines for your business.