Password-Best Practices

NIST Password Best Practices: 2022/2023

Having a secure and strong password is essential for any user nowadays, with the prevalence of data breaches and cyber-attacks. A weak password can easily be guessed or figured out by malicious hackers, leaving you exposed to potential theft and loss of valuable personal information. It is essential for employees and network users to generate strong passwords that will protect their accounts and confidential data. It is important to keep changing your password regularly, preferably every 3 months, to help protect your information from hackers. The NIST (National Institute of Standards and Technology) frequently releases password guidelines for companies to utilize best practices for generating and implementing passwords.

What is a NIST Password?

A NIST password is a more secure form of login credentials that meets certain requirements set by the National Institute of Standard and Technology (NIST). The security standards set by NIST are complex and often involve additional steps, such as providing distinct types of information or using two-factor authentication. Though these guidelines may seem daunting and time-consuming, they provide an extra layer of encryption to protect user data from unauthorized access. NIST passwords are difficult to memorize but they are worth the effort given their level of protection against online security threats. NIST passwords are a safe way for organizations to ensure their online infrastructure remains secure.

NIST Password Guidelines for 2022

The most recent NIST Password Guideline Guidelines are explained in the NIST Special Publication 800-63B Digital Identity Guidelines. These requirements focus primarily on the quality of the password and placement recommendations on how to: generate, use, store, verify and enhance passwords overall. Below are five guidelines you should follow if you are looking to implement NIST password guidelines.

1. Check passwords

The length of a password is far more important than intricate passwords. The NIST advises a password policy that requires all user-created passwords to have at least the length of eight, and all auto-generated passwords to be at least six characters in length. Furthermore, it is recommended that the maximum length of a password should only be sixty-four characters. Every ASCII (American Standard Code for Information Interchange) character, including the space character, should be used in all NIST passwords. Furthermore, internet users should not be using consecutive characters (e.g., “5678”) or recurring characters (e.g., “bbbb”).

2. Screen passwords against commonly used and breach password lists

Passwords which are known to be frequently used or compromised should be prohibited. Recently established passwords need to be checked to make sure they are not compromised. Even, if a user generates a complex password, it can still expose the user to cyber-attacks if not checked. Credential duplication enhances a hacker’s chances of getting access to additional user accounts which can result in a breach of confidential information. When a user tries to use a password that is incorrect, a message should appear asking them for a different password and providing an explanation as to why their previous password was denied. Companies need to alert employees whenever they set a password that is accessible in a breached passwords list.

3.Utilize at least Two-Factor Authentication

Two-Factor Authentication (2FA) is an important cybersecurity tool that provides an additional layer of protection for online accounts. By using two separate forms of authentication, it becomes much more difficult for hackers to access sensitive information even if they have stolen passwords. Two-factor authentication requires the user to provide additional evidence such as a code received via SMS or biometric scanning such as fingerprints or voice recognition. Thanks to the added layer of security provided by two-factor authentication, users can enjoy peace of mind knowing their valuable information is safe from malicious attacks.

Find out which MFA method is best for your business.

4. Remove hints or knowledge-based authentication (KBA)

Companies should never allow employees or internet users to request a password hint. Instead, recommend ways to confirm their identity and reset their password, like using Two-Factor Authentication. The NIST also recommends not using knowledge-based authentication (KBA), such as questions like “What town were you born in?”

5. Use A Password Manager

The NIST requires that companies remove the user-generated password from their server as soon as it is created, using a zero-knowledge password protocol. Although the NIST does not explicitly recommend their use, they encourage companies to permit a copy-paste functionality to accommodate password managers. Moreover, when using a password manager, it is important to having an option to ‘show password.’ The benefit to this feature is not having to re-enter all the password characters. By not permitting the ‘show password’ option deters people from creating longer complex passwords.

How Often Should You Change Your Password?

The National Institute of Standards and Technology (NIST) does not recommend changing your password on a frequent basis, as it can lead to individuals making minor changes (such as appending numbers or characters to the end of their passwords). Rather, NIST suggests that passwords should be reset once a year in order to maintain digital security. This is because professional hackers are often able to predict simple changes and easily guess modified passwords.

If there has been a data breach, or you suspect that your password has been compromised, then it is important for you to change your password right away. If this happens, then make sure that the new password is strong and secure, so as not to fall prey to further attacks. In general, NIST recommends that passwords are only changed once a year unless there is an immediate threat or if the user suspects their password has been compromised in some way. Changing your password more frequently than necessary can actually have a negative effect on security since users may use simple variations of the same password over time instead of creating stronger ones with each resetting period.

Need Help Implementing NIST Password Guidelines for Your Business?

NIST password guidelines are updated regularly and have gone through several iterations, as they change with our ever-shifting cyber landscape. NIST password guidelines are the gold standard for securing your company’s sensitive information and creating a strong information security program. The NIST password recommendations emphasize randomization, lengthiness, and secure storage.  Although, requirements are clear, implementing and maintaining them for a business is difficult. If your business struggles to maintain password guidelines you need an expert IT team, stringent procedures, and the IT infrastructure to support it.  At PSM, we offer managed IT security services in which we will take over the implementation, maintenance, and monitoring of your cybersecurity.

We offer the following cybersecurity services:

  • Advanced A/V with EDR
  • Multi Factor Authentication
  • Spam and Phishing Protection
  • Web Security and DNS Protection
  • Intrusion Prevention System
  • UTM/NGFW Firewall
  • Endpoint Detection and Response
  • Security Operations Center
  • Intrusion Detection System
  • Data Loss Prevention
  • Vulnerability Scanning
  • SIEM Log Collection
  • Risk Assessment and Gap Analysis
  • Patch Management
  • Cyber defense
  • Network Security

Contact us at (312) 940-7830 to work with our experts today to learn how you can implement these NIST password guidelines for your business.


Leave a Comment

Your email address will not be published.

Scroll to Top