Would you like to protect your online accounts and data from hackers and cyberattacks? Do you want to avoid the hassle and frustration of forgetting or resetting your passwords? Do you want to follow the best practices and standards for password security and management?
If you answered yes to any of these questions, then you need to know about the NIST Password Guidelines. These are the official recommendations from the National Institute of Standards and Technology (NIST), the US federal agency that sets the standards for cybersecurity and technology.
In this article, you will learn:
- What are the NIST Password Guidelines and why do they matter
- What are the key recommendations from the NIST Password Guidelines
- How to create and manage strong passwords according to the NIST Password Guidelines
- How to benefit from following the NIST Password Guidelines
- How to use be compliant with NIST Password Guidelines
What Are the NIST Password Guidelines and Do Why They Matter
The NIST Password Guidelines are a set of rules and best practices for creating and managing passwords. They were first published in 2017 as part of the NIST Special Publication 800-63B, Digital Identity Guidelines, Authentication and Lifecycle Management.
The NIST Password Guidelines are based on the latest research and evidence on password security and usability. They aim to provide a simple and effective way to create and manage passwords that are both strong and easy to remember.
The NIST Password Guidelines matter because they reflect the current state of the art in password security and management. They also influence the policies and practices of many organizations and websites that require passwords for authentication.
By following the NIST Password Guidelines, you can ensure that your passwords are secure and compliant with the industry standards. You can also improve your user experience and reduce the risks and costs associated with password breaches and incidents.
Keep Up-to-Date with Rublon’s Monthly Security Briefing
Join our community and stay abreast of the latest developments and insights in cybersecurity. Sign up for the Rublon Newsletter now. Our monthly bulletin provides you with up-to-the-minute information on cybersecurity risks, useful tips to enhance your security, and an exclusive preview of our product advancements. Sign up today and receive our security briefing straight to your inbox each month. Arm yourself with the essential tools for a secure online experience.
What Are the Key Recommendations From the NIST Password Guidelines
The NIST Password Guidelines have several key recommendations for creating and managing passwords. Here are the main ones:
- Use long and random passwords
- Allow all characters
- Do not use password hints
- Do not use KBA
- Use a blocklist to check prospective passwords against it
- Offer guidance in choosing a strong password
- Limit the number of failed password attempts
- Do not enforce composition rules
- Do not expire passwords
- Allow the use of password managers
- Facilitate password entry
- Ensure secure password transmission
- Secure passwords by hashing and salting them
Use long and random passwords
The NIST Password Guidelines recommend using passwords that are at least 8 characters long for user-generated passwords and at least 6 characters long for machine-generated passwords. They also suggest that users should be able to create passwords up to 64 characters long. The longer and more random your password is, the harder it is for hackers to guess or crack it.
Allow all characters
The NIST Password Guidelines advise allowing all ASCII and Unicode characters, including emojis and spaces, in passwords. This way, users can have more freedom and creativity in choosing their passwords, and also increase the entropy and diversity of their passwords.
Do not use password hints
The NIST Password Guidelines advise against using password hints, such as “It’s your favorite color”. They state that password hints are often insecure, as they can reveal information about the password or the user. They also note that password hints can be useless, as users may forget them or change their preferences. Users should not depend on password hints for remembering their passwords.
Do not use KBA
The NIST Password Guidelines discourage using knowledge-based authentication (KBA) to choose passwords. Indeed, passwords chosen based on KBA questions, such as “What is your dad’s second name?” are often easy to guess or even publicly available. So, if your password contains your dad’s second name, hackers can easily infer it from your social media accounts, for example.
Use a blocklist to check prospective passwords against it
When setting a password, check the prospective password against a blocklist that contains values that are expected, commonly used, or compromised. The NIST Password Guidelines continue with a few examples of the blocklist rules. However, it is important to note that these rules are just examples. For instance, NIST says that one of the rules could be disallowing repetitive or sequential characters. This might seem contradictory to one of the other NIST password guidelines that says systems should not impose composition rules, such as prohibiting consecutively repeated characters. So, a password like ‘TGREhuH#$HG4$$$$$$$$grewgrwg4wg’ should not be rejected solely because it contains many consecutive repetitions of the ‘$’ character. The guidelines advise against composition rules that reject passwords based on the structure or types of characters used. On the other hand, a password like ‘password11111’ should be rejected, as it is common and compromised, so it is probably on the blocklist.
Blocklist example rule #1: Check passwords against breach databases
The NIST Password Guidelines suggest checking prospective passwords against databases of known compromised passwords, such as the one maintained by Have I Been Pwned. If a password matches a breached password, it should be rejected and the user should be asked to choose another one. This can prevent users from using passwords that have been exposed or leaked in previous incidents.
Blocklist example rule #2: Do not use dictionary words
The NIST Password Guidelines recommend not using dictionary words in passwords. This is because hackers can easily check against such words through dictionary lookup or exhaustive search.
Blocklist example rule #3: Prevent sequential and repeated characters
The NIST Password Guidelines suggest preventing users from using passwords that contain sequential characters (e.g., “1234”) or repeated characters (e.g., “aaaa”). These passwords are easy to guess and often used by default or by mistake. Users should be encouraged to choose passwords that are more varied and complex.
Blocklist example rule #4: Do not use context-specific words
The NIST Password Guidelines recommend not using context-specific words, such as the name of the service or the individual’s username, in passwords. This is because context-specific words are easy to guess. Moreover, context-specific words can increase the risk of password reuse, as users may use the same password for different accounts or services. Users should avoid using words that are related to the context of their passwords.
Offer guidance in choosing a strong password
Systems should guide users in creating strong, secure passwords, particularly when a user’s initial password choice is rejected for being too weak or compromised. This could be in the form of password strength meters, tips on creating a strong password, or other forms of guidance. It is especially important to guide the user towards creating a stronger password if their initial choice is weak. Otherwise, the user might make minor modifications to the rejected password (which would likely still be weak). For example, if a user tries to use “password” as their password and it is rejected, they should be discouraged from simply changing it to “password1” or “Password”, as these are also weak and easily guessable.
Limit the number of failed password attempts
The NIST Password Guidelines recommend implementing a mechanism that limits the number of times a user can attempt to authenticate (i.e., log in) unsuccessfully. NIST calls that “rate-limiting mechanism”, which is a security measure used to control the rate at which a user can attempt to authenticate. This is typically done to prevent brute-force attacks, where an attacker tries to gain access by guessing the password through numerous attempts. In practice, this could mean that after a certain number of failed login attempts (for example, 5), the system might temporarily lock the account or introduce a delay before the user can attempt to log in again. This helps to protect user accounts from unauthorized access.
Do not enforce composition rules
According to NIST guidelines, systems should avoid imposing unnecessary password structure rules, such as mandating a mix of different character types or prohibiting repeated characters.
Do not expire passwords
The NIST Password Guidelines advise against expiring passwords or requiring users to change their passwords periodically. They argue that this practice does not improve security, but rather harms usability and encourages users to choose weaker passwords or reuse passwords across accounts. Instead, passwords should only be changed when there is evidence of compromise or when the user requests it.
Allow the use of password managers
NIST guidelines strongly recommend that systems should support the use of password managers. This is to make it easier for users to create and manage strong, unique passwords. To further aid this, systems should also allow users to paste their passwords directly into the password field, a feature commonly used by password managers. The use of password managers can significantly increase the chances of users opting for stronger and more secure passwords.
Facilitate password entry
The NIST guidelines suggest that systems should provide an option for users to see their password (the “memorized secret”) as they type it, instead of hiding it behind dots or asterisks. This can help users confirm they’ve entered their password correctly, especially if they are in a private location where their screen is unlikely to be seen by others. Additionally, systems may allow devices to briefly display each character as it is typed, a feature often found on mobile devices.
Ensure secure password transmission
According to the NIST guidelines, when a system is handling passwords, it should use secure and recognized encryption methods to protect the password data during transmission. This ensures that the password is kept safe while it is being sent from one place to another. Additionally, the system should use an authenticated protected channel, which is a secure communication pathway that verifies the identities of both the sender and receiver. This ensures that the password data is being sent to and received from the correct entities. These measures are crucial for preventing unauthorized access or tampering with the password data, providing resistance to eavesdropping (where an unauthorized party might intercept and read the data) and adversary-in-the-middle attacks (where an attacker might intercept and alter the data during transmission).
Secure passwords by hashing and salting them
Systems should store passwords in a form that is resistant to offline attacks. This is achieved by salting and hashing the secrets using a suitable password-hashing scheme. The purpose of these schemes is to make each password guess more expensive for an attacker who has obtained a hashed password file, thereby making the cost of a guessing attack high or prohibitive. Hashing is a process that transforms passwords into unreadable strings of characters, while salting is a process that adds random data to passwords to make them more unique and resistant to attacks. Hashing and salting can prevent hackers from accessing or reversing passwords in case of a data breach.
How to Benefit From Following the NIST Password Guidelines
By following the NIST Password Guidelines, you can benefit from several advantages, such as:
- Improved security. You can protect your online accounts and data from hackers and cyberattacks, and reduce the chances of identity theft, fraud, and other consequences of password breaches and incidents.
- Enhanced usability. You can create and manage passwords that are both strong and easy to remember, and avoid the hassle and frustration of forgetting or resetting your passwords.
- Increased compliance. You can follow the best practices and standards for password security and management, and meet the requirements and expectations of the organizations and websites that you use.
How to Be Compliant With the NIST Password Guidelines
If you want to enhance your password security and management even further, you can use Rublon MFA, a solution that is compliant with the NIST Password Guidelines and offers a free 30-day trial.
Rublon MFA offers the following features and benefits:
- User-friendly interface. You can easily set up and manage your Rublon MFA account and devices, and access your online accounts and services with a few clicks or taps.
- Seamless integration. You can integrate Rublon MFA with your existing password manager, such as the one offered by Bing, and enjoy a smooth and secure login experience.
- Flexible pricing. You can start with a free 30-day trial and then choose a plan that suits your needs and budget. You can also cancel or change your plan at any time.
- High security. You can protect your Rublon MFA account and devices with a strong master password and encryption. You can also monitor and control your login activity and devices, and receive security alerts and reports.
Start the NIST-compliant Rublon MFA 30-Day Trial today and enjoy top security.
Conclusion
The NIST Password Guidelines are the official recommendations from the National Institute of Standards and Technology (NIST) for creating and managing passwords. They are based on the latest research and evidence on password security and usability, and they aim to provide a simple and effective way to create and manage passwords that are both strong and easy to remember.
By following the NIST Password Guidelines, you can improve your password security and management, and benefit from improved security, enhanced usability, and increased compliance.
NIST Password Guidelines FAQ
What are the NIST password change requirements?
The NIST Password Guidelines have several key recommendations, such as using long and random passwords, allowing all characters, not using password hints, not using KBA, using a blocklist to check prospective passwords against it, offering guidance in choosing a strong password, limiting the number of failed password attempts, not enforcing composition rules, not expiring passwords, allowing the use of password managers, facilitating password entry, ensuring secure password transmission, and securing passwords by hashing and salting them.
Does NIST compliance require MFA?
According to the NIST Special Publication 800-63B, which provides technical guidelines for digital identity services, MFA is required for any authentication scenario that involves a high or very high level of assurance. This means that if the potential impact of a breach is moderate or severe, the system must use MFA to verify the user’s identity. For example, if the system handles sensitive or confidential data, such as personal information, financial records, or health records, MFA is required for NIST compliance.
Is it okay to use the same password in more than one application?
Reusing the same password for various applications, regardless of the password’s complexity, is a bad practice because it makes all the applications vulnerable to the same breach. There might be cases where team members can use common passwords for some applications (for instance, a development team might use the same password for a project management tool), but reusing passwords is a weak security practice – especially when applications handle sensitive data.
How long should a password be according to NIST?
According to the NIST Special Publication 800-63B, which provides technical guidelines for digital identity services, the minimum password length should be at least eight characters for user-generated passwords, and at least six characters for randomly generated passwords. However, the NIST also recommends that the password length should not be artificially limited and that users should be allowed to choose passwords that are as long as they want, up to at least 64 characters. Longer passwords are generally more secure and harder to guess or crack.
What are the NIST password complexity requirements?
The NIST password complexity requirements are based on the principle of entropy, which measures the unpredictability or randomness of a password. The NIST does not prescribe any specific rules for password complexity, such as requiring a mix of uppercase and lowercase letters, numbers, and symbols. Instead, the NIST suggests that passwords should have a minimum entropy of 10 bits, which means that there are at least 1024 possible combinations for the password. The NIST also advises that passwords should not contain any common or predictable patterns, such as keyboard sequences, dates, names, or dictionary words.
How often should passwords expire according to NIST?
The NIST does not recommend any fixed expiration period for passwords, such as every 90 days or every year. Instead, the NIST states that passwords should only expire when there is evidence of compromise, such as a breach, a leak, or a phishing attack. The NIST argues that forcing users to change their passwords frequently can lead to user frustration and poor password choices, such as reusing or modifying old passwords. The NIST also suggests that users should be encouraged to change their passwords voluntarily if they suspect that their passwords are weak or compromised.
What are the NIST password blacklist requirements?
The NIST password blacklist requirements are designed to prevent users from choosing passwords that are easily guessed or cracked, such as common passwords, compromised passwords, or passwords that match the user’s identity or account information. The NIST recommends that password systems should implement a blacklist of passwords that are prohibited for use and that the blacklist should be updated regularly with new sources of compromised passwords, such as data breaches or password dumps. Moreover, the NIST advises that the blacklist should include passwords that are derived from the user’s identity or account information, such as their username, email address, phone number, or personal details.
How should passwords be stored and transmitted according to NIST?
The NIST password storage and transmission requirements aim to protect passwords from unauthorized access or interception, such as by hackers, eavesdroppers, or insiders. The NIST requires password systems to store passwords in a hashed and salted form. This means that passwords are transformed into a random and unique string of characters using a one-way mathematical function and a random value. In addition to that, the NIST also requires that password systems should transmit passwords using a secure and encrypted channel, such as HTTPS or TLS, which means that passwords are scrambled and protected from being read or modified by anyone other than the intended recipient.
What are the benefits of following the NIST Password Guidelines?
The benefits of following the NIST Password Guidelines are manifold, both for users and for organizations. For users, following the NIST Password Guidelines can help them create and manage passwords that are strong, secure, and easy to remember, which can reduce the risk of password compromise, identity theft, or data loss. For organizations, following the NIST Password Guidelines can help them comply with various regulations and standards, such as FISMA or the Cybersecurity Framework, which can enhance their reputation, trust, and security posture. Moreover, following the NIST Password Guidelines can also improve the user experience and satisfaction, which can increase the adoption and retention of password systems.
How can I check if my passwords are compliant with the NIST Password Guidelines?
Various tools and services can help you check if your passwords are compliant with the NIST Password Guidelines, such as password checkers, password managers, or password auditors. These tools and services can analyze your passwords and provide feedback on their strength, entropy, complexity, and blacklist status. However, you should be careful when using these tools and services, and make sure that they are trustworthy, reputable, and secure. You should not share your passwords with any third-party tool or service unless you are confident that they will not store, transmit, or misuse your passwords. You should also use these tools and services as a guide, not as a guarantee, and always apply your judgment and common sense when creating and managing your passwords.