Skip to main content

Back to Blog

Checking Compromised Credentials: Looking Closer at NIST Password Guidelines

The most recent updates to NIST’s password guidelines, as detailed in NIST Special Publication 800-63B, represent a significant and welcomed shift in the field of cybersecurity. These changes have been made in response to evolving password attack methods and current research insights. Understanding these password recommendations is crucial for organizations looking to protect their environment and adhere to current standards for password management.

The National Institute of Standards and Technology (NIST) revised guidelines advocate for a proactive approach to password security. They recommend that new passwords be rigorously vetted against a list of commonly used, expected, or previously compromised passwords. This step is designed to prevent the selection of common passwords that are already compromised or could be easily cracked using widely available cracking dictionaries. By implementing this strategy at the stages of account creation and password resetting, organizations and federal agencies can significantly reduce the risk of authentication-related data breaches by cybercriminals.

Proactive Password Security Measures

One potential solution is to periodically reevaluate user passwords at the point of login, instead of enforcing routine password resets. This approach is feasible since, outside of login attempts, passwords are sometimes stored as salted one-way hashes, making them inaccessible for regular checks. While this method could offer better defense against compromised credentials, it’s important to consider the balance between user convenience, functionality, and security risk.

Another strategy involves verifying full credentials- the entire username and password combination- at each login. If a specific combination is found on a list of compromised credentials, it could indicate one of two scenarios: either the user’s authenticator has been compromised without their knowledge, or the user has reused their credentials on another site that has subsequently been compromised. Studies suggest that password reuse is alarmingly common, occurring in 43-51% of cases. Despite NIST’s clear stance against password reuse, effectively enforcing this policy remains a challenge in preventing the reuse of weak passwords.

The identification of compromised username and password pairs is critical, as it essentially indicates a severe vulnerability in the password layer, significantly increasing the risk of user account hijacking and unauthorized access by hackers. Therefore, understanding and identifying such vulnerabilities is paramount in maintaining robust security and ensuring adequate password strength.

Advanced Security Limitations and Why Checking Compromised Credentials Matter

In addition to these specific practices, there are advanced security measures involving heuristic rules and adaptive authentication methods, which use artificial intelligence to calculate a risk score. These methods, however, can produce a mix of false positives and negatives. In contrast, the detection of compromised user credentials in real-time provides a more definitive form of protection, as it identifies a clear vulnerability requiring immediate attention.

The integration of these NIST Digital Identity Guidelines into an organization’s security strategy is essential in mitigating potential cyberattacks. They offer a more nuanced and effective approach to password security and password requirements, moving away from outdated practices and embracing a more informed and strategic stance. By understanding and implementing these guidelines, organizations can significantly enhance their cybersecurity risk management and promote the use of strong passwords.


If you’re looking to seamlessly integrate NIST guidelines into your systems, consider exploring this by requesting a free trial of Enzoic today.