NIST, the National Institute of Standards and Technology issues password guidelines that represent best practices to implement over password security. NIST is an agency of the US Department of Commerce. It is public service and, therefore, not biased by specific commercial interest.
The NIST password guidelines have become a reliable source for those looking for best practices. However, those standards are in flux at the moment because the Institute is re-assessing all of its recommendations. Another problem with the NIST standards is that they are difficult to understand and the kernel of important action points is buried in officious terminology and government procedural formatting.
To cut through the confusion, we have produced a definitive guide to implementing secure passwords and we have written these guidelines in clear, plain English.
Here is the summary of points that you should be implementing now in your password policy:
- Block password reuse.
- Screen for common passwords.
- Drop the requirement for special characters.
- Allow all characters, including spaces.
- Allow copy and pasting of passwords.
- Drop enforced password rotation.
- Lengthen password fields.
- Let the user see the password, limit attempts, and don’t use hints.
- Use 2FA – SMS is OK.
These are the top guidelines of the current NIST password recommendations. The reasoning behind each of these key points and how you should implement them is explained in the following sections.
1. Block password reuse
This recommendation has two meanings.
- Users shouldn’t choose the same password used for other logins.
- Users shouldn’t flip-flop between two passwords.
In truth, everyone has difficulty remembering a lot of passwords for all of the places a login is required in the modern world. To combat the danger of being locked out, they will use one password in all situations.
The problem with the constant use of the same password in all systems is that often login credentials are tied to the user’s email address. Even though many people have more than one email account, the average number of email accounts per person is still relatively low – it is currently about 1.75 accounts on average per person.
Even those people who have many email accounts tend to use one email account overwhelmingly more frequently than others. This situation makes it easy for hackers to track users across systems. This is particularly the case where the email address is used as the account username. So, if a hacker discovers the password of a user on one system, it is very easy to feed that into automated access attempt software for other systems.
Use password screening services that check for password commonality across systems to prevent the users of your authentication process from using the same passwords that they use in other systems.
In truth, this is difficult to implement because you aren’t going to be able to see the passwords that your users employ everywhere in the world. However, as part of your user education effort, make the originality of the password that they use for your system a key recommendation.
Password reuse within your system is a lot easier to block. Password reset systems often check that the user’s current password and the new password that they request are not the same. This strategy is easy for software systems to enforce because they just require the user to enter their old password in one field and the new password in another field in the same screen. Straight forward pattern matching produces the identification of a repeated password.
Due to the extensive use of user credentials for everything these days. Every account holder on your system has become an expert in the creation of passwords and they all know how to trick the system. They will cycle between two passwords that are very similar – often with just the addition of an extra character at the end.
Rather than using a password checking system that only compares the requested new password with the user’s current password, use systems that blacklist every previous password employed for that account.
The ban on any repetition gives you a better chance that users will be forced to think up a completely new password that they haven’t used anywhere else.
The password uniqueness process should not only check that the requested password is different from all previously used passwords but that it is substantially different. There shouldn’t be any reuse of parts of passwords. That prevents users from varying passwords by just one or two characters.
Users’ will continue to employ compromised passwords for other systems even when they have been informed that the particular password has been compromised. NIST recommends that system administrators subscribe to a list of compromised passwords and perform regular sweeps to catch recently compromised passwords.
2. Screen for common passwords
Another coping strategy that many users deploy in order to remember lots of different passwords is to use straightforward, memorable passwords. These might be:
- Culturally common words or phrases
- Words related to the user’s hobbies
- Words or codes related to the system that the account is held on
- Words related to the username
An easy way to prevent this strategy is to check passwords against a dictionary. If you run a multinational system, the dictionary you use will need to relate to the language of the user.
Clearly, the password shouldn’t be a repetition of the username and also shouldn’t contain the username or be part of the username.
Passwords that are adapted to the system or the user’s identity are particularly easy to crack and passwords that include the word “password” should be at the top of your blacklist – MyPassword, APassw0rd, DavePassword, IBMPassword, Passw0rd!, etc.
The easiest way to shut down the use of common words in passwords through an automated process is to adapt the NIST recommendation of using a compromised password feed. Rather than applying a list of passwords that have been cracked elsewhere for a particular user, scan for all or part of all passwords that have been cracked anywhere. Apply that blacklist to each user regardless of whether the compromised password was deployed by that user. That will automatically block the use of all common words.
3. Drop the requirement for special characters
This NIST recommendation is a surprise to many and causes consternation because the enforcement of special character inclusion is part of the standard procedures of most current off-the-shelf password strength testers.
The reason for this new rule is that just making the user put one special character somewhere in the password doesn’t provide any security at all. Hackers have studied human behavior and they know all of the standard tricks that ordinary people use in order to comply with the special character requirements while still producing a crackable password.
The exclamation mark (!), for example, produces particularly weak passwords while fooling most password strength testers. It is not difficult at all for password cracking software to try a password, then try the same password with an exclamation mark on the end, and then try the password with the exclamation mark substituted for each l and then each i. That takes seconds.
The same recommendation also goes for the forced inclusion of numbers – hackers are ahead of that one, too. Zero substituted for o and one substituted for l makes cracking passwords easy. Combining the requirement for the inclusion of both a number and a special character is also useless – passw0rd! is extremely easy to guess, while being approved by a password strength checker.
4. Allow all characters, including spaces
The ban on spaces in passwords is illogical. Memorable phrases are much harder to crack than memorable words or even memorable words with special characters and numbers in them.
The main problem with memorable phrases is that they are also harder to check for password strength. However, using the recommended strategy of scanning for a match to compromised passwords should filter out well-known quotes as the wider system administrator community adopts the strategy of allowing spaces.
NIST’s policy revision stems from the recognition that current restrictions on password composition haven’t resulted in password variety. Instead, they have created a convention of commonly used tricks because even operating independently, everyone’s brain works the same way. So, universal rules applied to everyone eventually results in universal solutions. Greater restrictions result in a smaller pool of possible solutions. Thus, tightening restrictions creates an easier job for hacker password-cracking tools.
5. Allow copy and pasting of passwords
Previous NIST recommendations advised against allowing values to be pasted into password fields. However, as the new NIST strategy is to encourage diversity by discouraging users from resorting to common password tricks, this is an important restriction to remove.
One unfortunate consequence of allowing pasting is that users will keep a file that lists system credentials. However, discouraging them from doing that also discourages them from using impossible-to-remember passwords.
Although plain text files with lists of credentials can be a security risk, in a way, they are a form of two-factor authentication because at least the user has to have physical access to the device that stores the file. Most professional hacker groups operate worldwide and work with automated password cracking systems. They don’t bother to steal the laptops of every Yahoo Mail user.
Very high-security systems, such as national defense agencies should continue to take steps to prevent users from keeping their own password files. However, that rule can be enforced by other methods, such as the threat of sacking or criminal charges. For most systems, a user-owned password file isn’t a serious security breach.
6. Drop enforced password rotation
Frequent demands for password resets encourage users to reuse passwords, vary the same password slightly by adding or moving numbers and special characters and use passwords that they also use on other systems. In short, frequently forced password rotation is the cause of the bad practices and tricks that need to be blocked – as explained in points 1, 2, 3, and 4, above.
7. Lengthen password fields
The standard eight-character password allowance is based on the expectation that users should create an actual word. However, as explained above, passphrases are much better for security and so lengthening the credentials field to at least 72 characters together with the permission to use spaces will encourage users to create phrases rather than words.
8. Let the user see the password, limit attempts, and don’t use hints
The biggest threat to system security is from international hackers, rather than nearby individuals. A shoulder jockey could look over and see the password that a user enters into a mobile device in a public place. However, if anyone is so close that it is possible to read the small display on the screen, that person would also be close enough to see which letters the user presses on the on-screen keyboard, so obscuring the password isn’t much of an advantage.
Although automated password cracking is a bigger threat than individual attacks, some users are targeted, so password hints speed up password guessing for a miscreant who is “doxing” a particular individual.
The three-strikes rule works very well as protection against password guessing techniques that move around special character and number substitution.
9. Use 2FA – SMS is OK
Two-factor authentication is a major recommendation of the latest NIST standards. One problem with this field of authentication is the scare stories that identified security weaknesses in the use of mobile devices as a physical element that could be used for authentication.
Although SMS-based authentication systems are fallible, the industry has found a way to strengthen the physical identification of mobile devices used for 2FA. That is, the SMS or push message requires not only the telephone number but also the identity of the device. This requirement has got around the problems of spoofing and cloning that undermined the value of mobile devices for the use of 2FA.
Implementing NIST recommendations
The easiest way to ensure that you have integrated all of the best practices for password security is to implement the NIST recommendations. The latest NIST recommendations are called SP 800-63b. This list of recommendations was first published in 2017 and has since been updated several times. So, you need to look for Identity and Access Management Systems that follow NIST SP 800-63b Revision 3, also written as SP800-63B-3 – unfortunately, dashes, spaces, and capitalization can be altered from publication to publication.
Using password management systems
Fortunately, there are some password management systems available that are aware of the latest NIST recommendations and have integrated them.
- ManageEngine ADSelfService Plus (FREE TRIAL)This password management system for Active Directory has been made fully compliant with SP800-63B Revision 3 through the revamp of its 2FA services. Access the 30-day free trial.
- N-able Passportal This password service discusses all about NIST SP800-63B Revision 3 in a blog post and declares that its services integrate these requirements. You can register and arrange for a demo.
- Specops Password PolicyThis password management system includes all of the recommendations of SP800-63B Revision 3. It integrates into Active Directory so you don’t need to completely trash and rebuild your current access rights management system in order to upgrade to the new standards.
- Password RBLPassword RBL is a password blacklisting service that integrates with Active Directory. This implements a major recommendation in the NIST SP800-63B publication over blocking compromised password reuse.
- SaaSPassThis is a cloud-based 2FA system that integrates with a long list of applications. It is fully compliant with NIST SP800-63B recommendations.
- Okta Offers a menu of IAM solutions from its cloud platform and they are all compliant with NIST SP800-63B Revision 3.
Beef up or bolt-on
You probably already have a well-established password management system that you’re happy with. As your IAM provider is closely involved in password security issues, it is very likely that it has already implemented SP800-63B. However, it doesn’t hurt to check.
It might be that NIST-compliant password security features are only offered with your current provider if you upgrade. If not, it could be worth considering adding on a specialist password management system or improving NIST-compliance by implementing 2FA or password blacklisting supplied by a provider other than your main IAM system vendor.
Above all, as a corporate system administrator, it is important to keep up to date with current password security issues. There is always new technology out there and that works for hackers as well as for businesses. Cybersecurity is the pursuit of a constantly moving goal.
A strong password should be impossible to guess, and that means using a mixture of lowercase and capital letters, numbers and symbols. Passwords are stronger the longer they are and shouldn't contain any intuitive patterns or memorable keyboard paths that can easily be guessed, like 123, ABC or QWERT.What is the current NIST guideline on strong passwords? ›
NIST now recommends a password policy that requires all user-created passwords to be at least 8 characters in length, and all machine-generated passwords to be at least 6 characters in length. Additionally, it's recommended to allow passwords to be at least 64 characters as a maximum length.What are the guidelines for passwords? ›
- At least 12 characters (required for your Muhlenberg password)—the more characters, the better.
- A mixture of both uppercase and lowercase letters.
- A mixture of letters and numbers.
- Inclusion of at least one special character, e.g., ! @ # ? ]
Not surprisingly, NIST no longer recommends scheduled password changes. Instead, the NIST password guidelines essentially state that organizations should screen passwords against a list of passwords that are known to be compromised. If a password has not been compromised, then there is no reason to change it.What are your 7 best tips for creating a strong password? ›
- Create Strong Passwords. ...
- Avoid Passwords Containing Info Easily Found Online. ...
- Use a Unique Password for Every Website or App. ...
- Avoid Linked Accounts. ...
- Use Multi-Factor Authentication. ...
- Beware Where You Enter Your Password. ...
- Take Note When a Data Breach Occurs.
Create strong passwords
At least 12 characters long but 14 or more is better. A combination of uppercase letters, lowercase letters, numbers, and symbols. Not a word that can be found in a dictionary or the name of a person, character, product, or organization. Significantly different from your previous passwords.
- Never reveal your passwords to others. ...
- Use different passwords for different accounts. ...
- Use multi-factor authentication (MFA). ...
- Length trumps complexity. ...
- Make passwords that are hard to guess but easy to remember.
- Complexity still counts. ...
- Use a password manager.
- Create long, complex, and unique passwords. ...
- Sentences or phrases are better than single words. ...
- Don't include personal information in your passwords. ...
- Use two-factor authentication to render stolen passwords useless. ...
- Encrypt stored passwords.
Make your password long. 12-14 characters are recommended. Use a mix of characters like capitalization, symbols and numbers. Use a different password for every account.What are 2 basic rules for passwords? ›
And once you finally select a password, its strength needs to observe these parameters: Length of the password – preferably over 12 characters. Complexity of the password – must contain letters (upper and lower case), numbers, and symbols and have a minimum number of each. Contain no repetitive characters.
- Never use personal information such as your name, birthday, user name, or email address. ...
- Use a longer password. ...
- Don't use the same password for each account. ...
- Try to include numbers, symbols, and both uppercase and lowercase letters.
The five domains in the NIST framework are the pillars support the creation of a holistic and successful cybersecurity plan. They include identify, protect, detect, respond, and recover.How often should company passwords be changed? ›
Cybersecurity experts recommend changing your password every three months. There may even be situations where you should change your password immediately, especially if a cybercriminal has access to your account.What is a better alternative to passwords for security? ›
This is the perfect example of the best password alternative. The second most prevalent type of authentication. This is the authentication method where the user needs to prove his/her identity by providing his/her biological data as proof.
This is often called the “8 4 Rule” (Eight Four Rule): 8 = 8 characters minimum length. 4 = 1 lower case + 1 upper case + 1 number + 1 special character.What are 3 things you should avoid when creating passwords? ›
-Don't use easily guessed passwords, such as “password” or “user.” -Do not choose passwords based upon details that may not be as confidential as you'd expect, such as your birth date, your Social Security or phone number, or names of family members. -Do not use words that can be found in the dictionary.What 3 things should a password have to make it most secure? ›
- Use a mix of alphabetical and numeric characters.
- Use a mixture of upper- and lowercase; passwords are case sensitive.
- Use symbols if the system allows (spaces shouldn't be used as some applications may trim them away)
- It starts with a passphrase, “I want ice cream! for dinner in Kentucky?”
- Uses a rule to keep the first 2 letters of every word and capitalize every second letter.
- Long at 14 characters.
- Uses special characters: “!” and “?”
- Includes uppercase and lowercase letters.
Considerations on password length and complexity are key in the quest for the ideal password. Complexity is often seen as an important aspect of a secure password. A random combination of alphanumerical characters and symbols intuitively seems as the best defense against cracking.What are the most common passwords 2022? ›
In 2022, "guest" overtakes "123456” as the most used password in the U.S., according to NordPass. Last year's winner, "123456," also seems to be retaining favor, finishing in second place. Globally, the most common password this year is “password.”
When a password is properly generated, 11–15 characters will provide more than enough protection for the everyday user. However, we know that most people feel more comfortable and secure with a longer version.What is the most common password length? ›
Most of the passwords (61%) were right at the password limit, either 8 or 9 characters long.What were 3 of the 5 most popular passwords? ›
Two-factor authentication (2FA) is one of the best ways to additionally protect passwords and secure corporate data. You can apply it to each of the business applications your employees use, especially if they access work accounts from personal desktops, laptops or mobile devices while working from home.What is good password practice? ›
Use different passwords on different systems and accounts. Don't use passwords that are based on personal information that can be easily accessed or guessed. Use the longest password or passphrase permissible by each password system. Don't use words that can be found in any dictionary of any language.What are the three types of passwords? ›
A password is sometimes called a passphrase, when the password uses more than one word, or a passcode or passkey, when the password uses only numbers, such as a personal identification number (PIN).What are the four types of password attacks? ›
The most common attack methods include brute forcing, dictionary attacks, password spraying, and credential stuffing. Brute forcing is the attempt to guess a password by iterating through all possible combinations of the set of allowable characters.What are the 5 essential elements of cyber security? ›
Different Elements of Cybersecurity:
Information security. Disaster Recovery Planning. Network Security. End-user Security.
Here, we'll dive into the Framework Core and the five core functions: Identify, Protect, Detect, Respond, and Recover. NIST defines the framework core on its official website as a set of cybersecurity activities, desired outcomes, and applicable informative references common across critical infrastructure sectors.What are the 4 NIST implementation tiers? ›
- Tier 1: Partial.
- Tier 2: Risk Informed.
- Tier 3: Repeatable.
- Tier 4: Adaptive.
A business password manager (e.g., 1Password, LastPass, Dashlane, Keeper) provides a safe location for companies to store login information for sites and apps. It can also generate strong,random passwords when you need to change credentials or create a new account.What makes a good password manager? ›
The best password managers will provide password sharing as an in-built feature, making it easy to share passwords and other relevant information from directly within the application. Some providers will even feature zero-knowledge password sharing, enabling users to share passwords in an encrypted form.Why should employees change their passwords frequently? ›
Primarily, changing passwords attempts to protect organisations from cyberattacks that make use of credentials that have been compromised in previous data breaches.What is the strongest password manager? ›
- Best Overall: LastPass.
- Best for Extra Security Features: Dashlane.
- Best Multi-Device Platform: LogMeOnce.
- Best Free Option: Bitwarden.
- Best for New Users: RememBear.
- Best for Families: 1Password.
- Best Enterprise-Level Manager: Keeper.
Biometric Authentication Methods
Biometric authentication relies on the unique biological traits of a user in order to verify their identity. This makes biometrics one of the most secure authentication methods as of today.
- One-Time Password (OTP) An OTP and its sibling, time-based one-time passwords (TOTP), are unique temporary passwords. ...
- Biometrics Authentication. If there's one thing that you always have with you, it's your body. ...
- Continuous Authentication. ...
- The Three Factors of Authentication.
According to NordPass' latest list of top 200 most common passwords in 2022, “password” is the most popular choice, followed by “123456”, “123456789”, “guest” and “qwerty“.What 3 things make a strong password? ›
- Do not use sequential numbers or letters. ...
- Do not include your birth year or birth month/day in your password. ...
- Use a combination of at least eight letters, numbers, and symbols. ...
- Combine different unrelated words in your password or passphrase.
Due to the progress in graphics technology, most types of passwords require less time to crack than they did just two years ago. For example, a 7-character password with letters, numbers and symbols would take 7 minutes to crack in 2020 but just 31 seconds in 2022.What are the 5 most commonly used passwords? ›
In collaboration with independent cybersecurity researchers evaluating a four terabyte database, the company found 123456 was the mostly commonly used password in the world, with over 100 million instances of its use.What type of password is the strongest? ›
- An English uppercase character (A-Z)
- An English lowercase character (a-z)
- A number (0-9) and/or symbol (such as !, #, or %)
- Ten or more characters total.
A strong password is a unique word or phrase a hacker cannot easily guess or crack. Here are the main traits of a reliable, secure password: At least 12 characters long (the longer, the better). Has a combination of upper and lowercase letters, numbers, punctuation, and special symbols.What sort of passwords do hackers use? ›
The list ranges from simple number and letter sequences like "123456" and "Qwerty" to easily typed phrases like "Iloveyou." Choosing easy-to-remember passwords is understandable: The average person has more than 100 different online accounts requiring passwords, according to online password manager NordPass.What are the three rules for passwords? ›
- Rule 1 – Use more than eight characters. ...
- Rule 2 – Always use different passwords for different platforms. ...
- Rule 3 – Use a password manager. ...
- Password policies for businesses. ...
- Training your staff.