Skip to main content

Back to Blog

3 Key Elements of the NIST Password Requirements

Reasons Why NIST Password Requirements Should Drive Your Password Strategy

Despite the doubters claiming that passwords will go the way of overhead projectors, they are still prevalent. They are still the backup factor for most other authentication solutions and show no sign of extinction because every organization has a password-supported infrastructure in place. Fortunately, the National Institute of Standards and Technology (NIST) has invested time and research to develop NIST password standards (NIST SP 800-63 Digital Identity Guidelines) that can reduce user friction and improve password policy.

It is long overdue for organizations to rethink how they approach password security policy. This includes screening passwords to ensure their users are not selecting weak passwords, checking to see if a good password becomes exposed using automation, and stopping reliance on enforced password resets to mitigate the risk of a breach.

Verizon DBIR stated breach data showed that 61 percent of breaches involved credential data and indicates that businesses surveyed across every industry experienced a median of over 1 million credential stuffing attempts during the past year.

Businesses need to accept that while the archaic password expiration practice may check a compliance box, it can still leave them exposed. The latest NIST password guidelines provide clarity on a modern approach that will address organizations’ concerns and be less onerous for employees.

So, what should organizations do when it comes to password security?

3 Key Elements of the NIST Password Requirements

There are a few key NIST password requirement recommendations that companies should adhere to that will mitigate their risk:

1- End the random algorithmic complexity.
Stop enforcing unnecessary password complexity requirements for accounts (a mix of special characters, numbers, and upper case letters). Unfortunately, research has shown that requiring complex passwords frequently results in weak passwords. 

The reason? Many users will just substitute a letter with a number, and attackers know the most common ones that people use. For example, using leetspeak substitution where 1 replaces i or an l and 0 replaces O, etc. Only requiring complex passwords doesn’t provide the security you need. Instead, create a strong password. The password length is still, character for character, more important for security than password complexity. The longer the password, the more difficult, (mathematically) it becomes to crack.

2- Remove periodic password reset requirements.
This is one of the biggest frustrations for employees who are forced to change their passwords multiple times per year. Studies have shown requiring frequent password changes is counterproductive to good password security because people will choose weaker or common passwords if they are forced to change their passwords regularly. They tend to make simple, predictable changes — and bad actors quickly learned those patterns.

Microsoft also agrees that there is no point in forced password changes and will be removing that recommendation from its security recommendations.

3- Make daily screening of new passwords against lists of common or compromised passwords mandatory.
Password screening (aka password filtering or monitoring) is a critical step that organizations must factor into their cybersecurity strategy. Without it, you run the risk of having a process in place that ensures new passwords are strong and unique but fails to check if these new passwords are compromised. Even a 30-character strong complex password can be weak if it is compromised. We believe that the ongoing screening of passwords against compromised lists should be mandatory.

You shouldn’t drive a car daily without the brakes working, and you shouldn’t do the same with employee passwords. Be safe.

By adopting the NIST password standards, password security will no longer be a weak link for enterprises. If you want to future-proof your password policy to mitigate the risk of employee account takeover, then check out how Enzoic can help you.


Read more on NIST: