NIST Password Guidelines 2021 | Password Policy Best Practices (2023)

NIST Password Guidelines 2021 | Password Policy Best Practices (1)

A recent survey has shown that two-thirds of companies don’t change passwords. The reasoning behind this statistic is even more worrying, as over half of employees avoid doing so because they worry about forgetting their new passwords, think that this practice is annoying, or simply don’t see the point in doing so.

Healthy and robust password management policies are essential. Both companies and employees need to understand the importance of implementing proper password practices. The National Institute of Standards and Technology (NIST) provides password guidelines that are regarded as the gold standard for general privacy and data security compliance in the US.

At the start of this year, officials from NIST teased potential changes to their security recommendations. With that in mind, we want to take a look at the current NIST password guidelines for 2021 to help you recognize the best password practices to protect against current cybersecurity threats.

NIST Password Guidelines

Since 2014, the National Institute of Standards and Technology has issued guidelines, recommendations, and controls for identity authentication, including optimal password policy practices.

NIST Password Guidelines 2021 | Password Policy Best Practices (2)

(Video) NIST Password Guidelines Requirements for 2022/2023 Best Practices

These guidelines have evolved over the years, as there have been several revisions, most notably in 2017 and 2019. The NIST password guidelines cover crucial practices for creating and managing passwords and requirements for the validation of these passwords.

The main goal of the NIST password guidelines is to create strong password security for users and businesses and strictly control privileged access. These guidelines allow organizations and companies to better protect themselves against credential stuffing, brute force attacks, and other intrusion attempts. With all of that in mind, let’s first take a look at the outdated password recommendations and then move to the latest NIST guidelines for passwords for 2021.

Outdated Password Recommendations

Most companies apply outdated password practices, based on a set of fundamental criteria. These criteria generally include three main password security guideline:

  • Forcing regular password changes
  • Requiring that each new password is unique and hasn’t been used before in any form
  • Making sure that each password is complex and consists of alphabetic (lowercase and uppercase) and numeric characters, and other special symbols.

These guidelines are widely accepted by many businesses and have been used for decades. While there’s nothing inherently wrong with the above-listed policies, they’re not sophisticated enough to support modern security requirements.

The fact that around 57% of people still employ these outdated practices means that the door for phishing and malware attacks is still very much open for attackers. We’ve grown accustomed to the outdated recommendations and need to apply new password management practices to ensure maximum security. This brings us to the next crucial topic.

Updated PasswordRecommendations

NIST has published a revised set of guidelines that cover the recommended security practices that best apply to today’s environment. This topic requires an entire article of its own, so we won’t go into all of the tiny details. That said, we want to take a close look at the latest password recommendations pertaining to the existing security practices:

Alphanumeric Characters

NIST Password Guidelines 2021 | Password Policy Best Practices (3)

(Video) NIST Password Policy Recommendations

The alphanumeric password system seems like it’s been around since the passwords themselves. Combining lowercase and uppercase letters with numbers and special characters to make a password “stronger” is a practice nearly every security system employs nowadays.

However, the NIST password guidelines state that this system doesn’t necessarily make for more robust and more secure passwords.

The new NIST password guidelines emphasize a more dynamic system, in which the users would craft their passwords by comparing their new passwords with weak passwords and those that led to leaks.

Password Length

The current practice is that passwords should be around 8 to 10 characters. This is one of the essential aspects that need change, as NIST password guidelines recommend that passwords of at least 64 characters should be allowed.

Having such a lengthy password might seem like an inconvenience. However, remembering a unique sentence as a password is much easier than using a gibberish one comprised of random numbers and characters.

Password Hints

“What was the name of your childhood pet?” and “The name of your first teacher” are everyday password hints users employ when they need to recover a password they’ve forgotten. However, the quality of these password hints often leaves a lot to be desired, especially in today’s over-exposed social media era.

The new NIST password guidelines advise that users should stray away from password hints. Instead, they should utilize multi-factor authentication as a more advanced and more secure method of password security.

(Video) Episode 1083 - Best Of 2021 - Password Generation Guidelines Per NIST

You can set the MFA to identify you based on your fingerprint, digital certificate, hardware token, location, time, and much more. This is a security step that’s much harder to hack and significantly lowers the risk of getting your data leaked.

Forced Password Changes

The new NIST password guidelines diminish the value of scheduled forced password changes. They support this stance by arguing that the user’s weakness to look for password patterns, such as changing only a few numbers or switching characters, weakens the password and makes the change not as significant as it should be. Plus, if the hackers already have the user’s information and the user only makes slight tweaks to the existing password, the forced password change is pointless.

Copy-Pasting Passwords

Surprisingly, this is something NIST has completely changed its perspective of since the last revision. The institute was previously entirely against enabling copy/paste features when typing passwords. However, the new guidelines aim to reverse this recommendation.

The reasoning behind this change of recommendation is that having to copy and paste complex passwords will only encourage the employees not to use simpler passwords but to move to password managers. These password managers would then allow them to randomly generate and store passwords for convenient use without compromising their security.

The importance of PasswordManagers And 2FA

The best way to ensure maximum privacy and security of your passwords is to implement two practices: employing a password manager and using 2-factor authentication. When it comes to the latter, everyone agrees that using 2-factor authentication adds a very strong security layer to your information. All experts agree on is that passwordless logins are the way of the future. It’s only a matter of time when companies will adopt this method of authentication.

However, when it comes to password managers, this is where experts come to a crossroads. For some, password managers are a necessary and very convenient tool for ensuring privacy and security. For others, they are just a tool for masking the general issue by storing the passwords behind another password.

This is because it’s hard to find NIST password generators that meet all of the standards and requirements. The best you can do is find a reliable and secure password generator and manager to protect your valuable data from falling into the wrong hands.

(Video) New NIST Password standards

For this reason, using a compact all-in-one Bluetooth-enabled keys such as the Hideez Key 3or Hideez Key 4is a simple and elegant solution for your password management needs. It allows you to store up to 2,000 login credentials and passwords in a hardware vault. Moreover, it serves as a multifunctional security key that helps you generate unique and robust passwords and one-time passwords for multi-factor authentication.

The best part is that such password management solution can be implemented not only for personal needs but for enterprise use as well, offering many more valuable features that would be a perfect fit for multi-user environment. To find out more, pleasecontact usor request afree personalized pilot:



(Video) What makes up a good password? - NIST Guidelines


What are four 4 best practices for passwords? ›

Password Best Practices
  • Never reveal your passwords to others. ...
  • Use different passwords for different accounts. ...
  • Use multi-factor authentication (MFA). ...
  • Length trumps complexity. ...
  • Make passwords that are hard to guess but easy to remember.
  • Complexity still counts. ...
  • Use a password manager.

What is the best practice for password policy? ›

Best practices for password policy

Configure a minimum password length. Enforce password history policy with at least 10 previous passwords remembered. Set a minimum password age of 3 days. Enable the setting that requires passwords to meet complexity requirements.

What are three 3 best practices for creating and using passwords? ›

Tips for creating strong passwords
  • Never use personal information such as your name, birthday, user name, or email address. ...
  • Use a longer password. ...
  • Don't use the same password for each account. ...
  • Try to include numbers, symbols, and both uppercase and lowercase letters.

What are the 5 security requirements for a good password? ›

  • At least 12 characters (required for your Muhlenberg password)—the more characters, the better.
  • A mixture of both uppercase and lowercase letters.
  • A mixture of letters and numbers.
  • Inclusion of at least one special character, e.g., ! @ # ? ]

What are your 7 best tips for creating a strong password? ›

7 Tips For Creating a Better Password
  • Create Strong Passwords. ...
  • Avoid Passwords Containing Info Easily Found Online. ...
  • Use a Unique Password for Every Website or App. ...
  • Avoid Linked Accounts. ...
  • Use Multi-Factor Authentication. ...
  • Beware Where You Enter Your Password. ...
  • Take Note When a Data Breach Occurs.
9 Jul 2019

What is the 8 4 rule for creating strong passwords? ›

This is often called the “8 4 Rule” (Eight Four Rule): 8 = 8 characters minimum length. 4 = 1 lower case + 1 upper case + 1 number + 1 special character.

What is not best practice for password policy? ›

1 Answer. Explanation: Old passwords are more vulnerable to being misplaced or compromised.

What are the best practices of best practices for security? ›

10 Security Best Practice Guidelines
  • Software. Only install applications, plug-ins, and add-ins that are required. ...
  • Updates and Patches. After installing, update! ...
  • Anti-virus. Install, frequently update, and regularly scan using anti-virus software. ...
  • Passwords. ...
  • Encryption. ...
  • Backup. ...
  • Physical Access. ...
  • Firewalls.

What are the NIST password requirements? ›

NIST now recommends a password policy that requires all user-created passwords to be at least 8 characters in length, and all machine-generated passwords to be at least 6 characters in length. Additionally, it's recommended to allow passwords to be at least 64 characters as a maximum length.

What are 3 things you should avoid when creating passwords? ›

-Don't use easily guessed passwords, such as “password” or “user.” -Do not choose passwords based upon details that may not be as confidential as you'd expect, such as your birth date, your Social Security or phone number, or names of family members. -Do not use words that can be found in the dictionary.

What are the six basic guidelines for creating strong passwords? ›

6 best practices to create strong passwords and keep your business accounts secure
  • Create long, complex, and unique passwords. ...
  • Sentences or phrases are better than single words. ...
  • Don't include personal information in your passwords. ...
  • Use two-factor authentication to render stolen passwords useless. ...
  • Encrypt stored passwords.
20 May 2021

What are 2 basic rules for passwords? ›

And once you finally select a password, its strength needs to observe these parameters: Length of the password – preferably over 12 characters. Complexity of the password – must contain letters (upper and lower case), numbers, and symbols and have a minimum number of each. Contain no repetitive characters.

What are the 5 basic security principles? ›

The Principles of Security can be classified as follows:
  • Confidentiality: The degree of confidentiality determines the secrecy of the information. ...
  • Authentication: Authentication is the mechanism to identify the user or system or the entity. ...
  • Integrity: ...
  • Non-Repudiation: ...
  • Access control: ...
  • Availability:
5 Jun 2022

What are the 6 elements in secure? ›

This graphic depicting the 6 atomic elements of Information Security as defined by Donn B. Parker. Which are: Confidentiality, Possession or Control, Integrity, Authenticity, Availability, Utility.

What is the number 1 most used password? ›

In collaboration with independent cybersecurity researchers evaluating a four terabyte database, the company found 123456 was the mostly commonly used password in the world, with over 100 million instances of its use.

What are common password mistakes? ›

Using Any Personal Information In Passwords

Their own names should never be used, along with the names of their relatives, favorite celebrities, pets, friends, and so on. Even something as simple as a college mascot shouldn't be used, as it's relatively easy to find out this kind of information.

How long does it take a hacker to crack an 8 digit password? ›

The findings suggest that even an eight-character password — with a healthy mix of numbers, uppercase letters, lowercase letters and symbols — can be cracked within eight hours by the average hacker.

Which is the hardest password in the world? ›

Combine partial unrelated words together. Combine partial 2 or 3 or even 4 unrelated words together (mix uppercase and lowercase), for example, combine these words together like “Diamond”, “Blog”,”Security” to become “DiamBloSecu”.

What are the 7 best practices? ›

Seven HR best practices
  • Providing security to employees.
  • Selective hiring: Hiring the right people.
  • Self-managed and effective teams.
  • Fair and performance-based compensation.
  • Training in relevant skills.
  • Creating a flat and egalitarian organization.
  • Making information easily accessible to those who need it.

What are the 4 P's in security? ›

In general, Information Security professionals suggest that protecting sensitive data requires a combination of people, processes, polices, and technologies.

What are the 7 principles of security? ›

Security by Design: 7 Application Security Principles You Need to Know
  • Principle of Least Privilege. ...
  • Principle of Separation of Duties. ...
  • Principle of Defense in Depth. ...
  • Principle of Failing Securely. ...
  • Principle of Open Design. ...
  • Principle of Avoiding Security by Obscurity. ...
  • Principle of Minimizing Attack Surface Area.

What is a passing NIST score? ›

A NIST 800-171 compliance partner will help optimize your preparedness for NIST 800-171 assessments, ensuring you achieve a NIST 800-171 passing score—ideally a perfect 110.

What are the 5 pillars of NIST? ›

The five domains in the NIST framework are the pillars support the creation of a holistic and successful cybersecurity plan. They include identify, protect, detect, respond, and recover.

What are the NIST 800-53 password requirements? ›

NIST 800-53 (Moderate Baseline)

A minimum of eight characters and a maximum length of at least 64 characters. The ability to use all special characters but no special requirements to use them. Restrict sequential and repetitive characters (e.g. 12345 or aaaaaa).

What are the four types of password attacks? ›

The most common attack methods include brute forcing, dictionary attacks, password spraying, and credential stuffing. Brute forcing is the attempt to guess a password by iterating through all possible combinations of the set of allowable characters.

What type of password is most secure? ›

How To Choose a Strong Password
  • Use a mix of alphabetical and numeric characters.
  • Use a mixture of upper- and lowercase; passwords are case sensitive.
  • Use symbols if the system allows (spaces shouldn't be used as some applications may trim them away)

What should a password not include? ›

Choosing a strong password
  • be at least 8 characters long (preferably 12)
  • include a combination of upper- and lower-case letters.
  • include some numbers and keyboard symbols such as & or !
  • not include personal information, such as your name, any usernames, your date of birth, or any family member's details.
20 Sept 2022

What is the most important factor for password strength? ›

Considerations on password length and complexity are key in the quest for the ideal password. Complexity is often seen as an important aspect of a secure password. A random combination of alphanumerical characters and symbols intuitively seems as the best defense against cracking.

What does 8/12 characters mean in a password? ›

This means that your password must be of at least 8 alphanumeric character and can reach to maximum length of 12 alphanumeric characters. The term 'alphanumeric' means the combination of upper-case and lower-case alphabets or letters and numbers and special characters (such as @, #, $ etc.).

What is an example of a strong password made in easy 5 steps? ›

Use a combination of uppercase letters, lower case letters, numbers, and special characters (for example: !, @, &, %, +) in all passwords. Avoid using people's or pet's names, or words found in the dictionary; it's also best to avoid using key dates (birthdays, anniversaries, etc.).

What are 3 types password cracking methods? ›

Six Types of Password Attacks & How to Stop Them
  • Phishing. Phishing is when a hacker posing as a trustworthy party sends you a fraudulent email, hoping you will reveal your personal information voluntarily. ...
  • Man-in-the-Middle Attack. ...
  • Brute Force Attack. ...
  • Dictionary Attack. ...
  • Credential Stuffing. ...
  • Keyloggers.

What are the 3 P's of security? ›

The day-to-day playbook for security boils down to the 3Ps: protect, prioritize, and patch. And do all three as best and fast as possible to keep ahead of adversaries and cyber threats.

What are the 3 A's in security? ›

Authentication, authorization, and accounting (AAA) is a term for a framework for intelligently controlling access to computer resources, enforcing policies, auditing usage, and providing the information necessary to bill for services.

What are the 3 golden principles of information security? ›

The basic tenets of information security are confidentiality, integrity, and availability. Every element of the information security program must be designed to implement one or more of these principles. Together they are called the CIA Triad.

What are the 8 components of security plan? ›

Here are eight critical elements of an information security policy:
  • Purpose. ...
  • Audience and scope. ...
  • Information security objectives. ...
  • Authority and access control policy. ...
  • Data classification. ...
  • Data support and operations. ...
  • Security awareness and behavior. ...
  • Responsibilities, rights, and duties of personnel.
19 Apr 2021

What are the 5 phases of the security life cycle? ›

Like any other IT process, security can follow a lifecycle model. The model presented here follows the basic steps of IDENTIFY – ASSESS – PROTECT – MONITOR. This lifecycle provides a good foundation for any security program.

What are the 4 most common passwords? ›

Top 10 most common passwords
  • Password.
  • 123456.
  • 123456789.
  • 12345678.
  • 1234567.
  • Password1.
  • 12345.
  • 1234567890.
1 Sept 2022

What are the four 4 cybersecurity protocols? ›

Four security protocols to protect the new normal, a hybrid...
  • Access Control.
  • Authentication.
  • Information Protection.
  • Automated Monitoring.
16 Mar 2022

What are the 4 P's under security measures to provide effective security? ›

In general, Information Security professionals suggest that protecting sensitive data requires a combination of people, processes, polices, and technologies.

What are the 4 security domains? ›

The Security Domains

Access Control. Telecommunications and Network Security. Information Security Governance and Risk Management.

What is the strongest 4 digit password? ›

Nearly 11% of the 3.4 million passwords are 1234. That is 374,000! It was found more often than the lowest 4,200 codes combined. The second most popular 4-digit PIN is 1111 at almost 6% (204,000).
This is what they found.
16 more rows

What is the number 1 used password? ›

In 2022, "guest" overtakes "123456” as the most used password in the U.S., according to NordPass. Last year's winner, "123456," also seems to be retaining favor, finishing in second place. Globally, the most common password this year is “password.”

What are the 5 C's of cyber security? ›

The five C's of cyber security are five areas that are of significant importance to all organizations. They are change, compliance, cost, continuity, and coverage. The top priority of organizations all over is having security protective of their digital and physical assets.

What are the 5 key principles of cyber security? ›

Cyber security design principles
  • Establish the context before designing a system. ...
  • Make compromise difficult. ...
  • Make disruption difficult. ...
  • Make compromise detection easier. ...
  • Reduce the impact of compromise.

What is the 5 cyber safety rules? ›

8 Habits to Stay Cyber-Safe
  • Think twice before clicking on links or opening attachments. ...
  • Verify requests for private information. ...
  • Protect your passwords. ...
  • Protect your stuff! ...
  • Keep your devices, browsers, and apps up to date. ...
  • Back up critical files. ...
  • Delete sensitive information when it's no longer needed.

What are the 3 D's of security? ›

That is where the three D's of security come in: deter, detect, and delay. The three D's are a way for an organization to reduce the probability of an incident.

What is the 3 major aspect of security? ›

There are three primary areas or classifications of security controls. These include management security, operational security, and physical security controls.

What are the six pillars of security? ›

Six Pillars of Cloud Security
  • Secure Access Controls. A good security framework starts by implementing secure Identity Access Management (IAM) protocols. ...
  • Zero-Trust Network Security Controls. ...
  • Change Management. ...
  • Web Application Firewall. ...
  • Data Protection. ...
  • Continuous Monitoring.
13 Jul 2021

What are the 6 types of security? ›

What are the 6 types of security infrastructure systems?
  • Access Controls. The act of restricting access to sensitive data or systems enables your enterprise to mitigate the potential risks associated with data exposure. ...
  • Application Security. ...
  • Behavioral Analytics. ...
  • Firewalls. ...
  • Virtual Private Networks. ...
  • Wireless Security.
22 Feb 2022


1. Exploring the New NIST Password Recommendations
2. Implementing NIST Password Policy - Part 1
(Jerin Jose)
3. Episode 899 - Tools, Tips and Tricks - Password Generation Guidelines Per NIST
(Security In Five)
4. NIST 2020 Password Security Do's and Don'ts
5. A Practical Guide to Implementing NIST/CISA’s Software Bill of Materials Requirements
6. 5 Password Protection Best Practices
(Retail & Hospitality ISAC)
Top Articles
Latest Posts
Article information

Author: Francesca Jacobs Ret

Last Updated: 02/11/2023

Views: 5346

Rating: 4.8 / 5 (48 voted)

Reviews: 95% of readers found this page helpful

Author information

Name: Francesca Jacobs Ret

Birthday: 1996-12-09

Address: Apt. 141 1406 Mitch Summit, New Teganshire, UT 82655-0699

Phone: +2296092334654

Job: Technology Architect

Hobby: Snowboarding, Scouting, Foreign language learning, Dowsing, Baton twirling, Sculpting, Cabaret

Introduction: My name is Francesca Jacobs Ret, I am a innocent, super, beautiful, charming, lucky, gentle, clever person who loves writing and wants to share my knowledge and understanding with you.