The NIST (National Institute of Standards and Technology) works with federal agencies to set their security and password standards. They help organizations and businesses meet security and regulation requirements for regulations like HIPAA.
Since 2017, NIST has been continuously revising its password guidelines. These revisions stem from recognizing human factors that lead to security vulnerabilities, such as being forced to use special characters or change their password every few months. Many of these requirements were initially thought to improve security. However, the result was the complete opposite of what they intended.
These new requirements and recommendations seek to rectify these security-weakening situations brought on by unnecessarily complicated password processes.
NIST Password Requirements
Make passwords at least eight characters long.
The fewer characters a password uses, the less secure that password is.
Only change passwords if your account gets compromised.
If you force users to change their passwords often, they will choose weaker passwords they can easily remember (and hackers can easily crack).
Screen new passwords against a list of compromised passwords.
Skipping this step will set you up to think you are using secure passwords when, in reality, these passwords are already compromised. Your organization needs to make the ongoing screening of passwords mandatory.
Skip security questions and password hints.
With enough research on a person through their public records, anyone with the motivation and tools can figure out the answers to someone’s security questions. Also, password hints help you remember your password, but they also help potential hackers slip past your defenses.
Limit the number of allowable failed attempts.
Without setting hard limits on failed attempts, hackers could theoretically make countless attempts to crack your security. If they have enough information to make reasonable guesses to your password, they will eventually make it through unless the system allows only for a few failed attempts.
NIST Recommended Best Practices
Allow passwords up to 64 characters or longer.
The more characters a password uses, the more secure that password is. This extended length would allow users to utilize passphrases, a sequence of (preferably) unrelated words. This password length will enable users to create passwords that are easy to memorize and hard to crack.
Skip character composition and special character requirements; they burden the end-users and provide no benefit.
Requiring complex characters has, counterintuitively, results in weaker passwords, as most users will substitute a letter with a number (such as using “1” in place of “i.”)
Allow users to copy and paste their passwords into password managers.
Originally, NIST was against allowing for copying and pasting of passwords. However, with the widespread adoption of password managers, NIST reversed this recommendation. Copying and pasting passwords will enable people to create near uncrackable passwords and not manually type them in.
NIST Guidelines for Compromised Passwords
Thanks to the fact that we reuse passwords, hackers have an unlimited supply of username and password combinations to gain access to many accounts. When you reuse your usernames and passwords, you run the risk of hackers gaining access to more accounts and stealing more of your data.
Organizations should use password blacklists to prevent their workers from using compromised password combinations. Password lists can include the following:
- Passwords taken in previous breaches
- Dictionary words
- Repetitive characters
- Sequential characters
- Context-specific characters
Password logins will be the defacto standard for many years to come, and we must do what is necessary to mitigate risks brought on by compromised passwords. Your first line of data security is your password; follow these recommendations to make our passwords as secure as possible.