Skip to main content

Reasons Why NIST Password Requirements Should Drive Your Password Strategy

Despite the doubters claiming that passwords will go the way of overhead projectors, they are still prevalent. According to Enzoic’s 2023 Password Authentication Survey, the vast majority of organizations still rely on usernames & passwords for authentication. Additionally, they are still the backup factor for most other authentication solutions and show no sign of extinction because every organization has a password-supported infrastructure in place. Fortunately, the National Institute of Standards and Technology (NIST) has invested time and research to develop NIST password standards (NIST SP 800-63 Digital Identity Guidelines) that can reduce user friction and improve password policy.

It is long overdue for organizations to rethink how they approach password security policy. This includes screening user passwords to ensure they’re not selecting weak passwords, implementing a functionality to check if a good password becomes exposed using automation, and stopping reliance on enforced password resets to mitigate the risk of a data breach by hackers.

Verizon’s 2023 DBIR stated breach data showed that 40 percent of breaches resulted from stolen credentials. Typically, the stolen credential serves as the entry point, enabling further compromise through the exploitation of vulnerabilities like privilege escalation or the deployment of malware.

Businesses need to accept that while the archaic password expiration practice may check a compliance box for legacy standards, it can still leave them exposed. The latest NIST password guidelines provide clarity on a modern approach that will address organizations’ and federal agencies’ concerns and be less onerous for employees.

So, what should organizations do when it comes to password security?

Here are the 3 Key Elements of the NIST Password Requirements

There are a few key NIST password recommendations that companies should adhere to that will mitigate their risk:

1- End the random algorithmic complexity.
Stop enforcing unnecessary password complexity requirements for user accounts (a mix of special characters, numbers, lower case letters, and upper case letters). Unfortunately, research has shown that requiring complex passwords and passphrases frequently results in weaker passwords. 

The reason? Many users will just substitute a letter with a number, and attackers know the most common ones that people use. For example, using leetspeak substitution where 1 replaces i or an l and 0 replaces O, etc. Only requiring complex passwords doesn’t provide the security you need. Instead, create a strong password. The password length is still character for character, more important for security than password complexity. The longer the password, the more difficult (mathematically) it becomes to crack.

2- Remove periodic password reset requirements.
This is one of the biggest frustrations for employees who are forced to change their passwords multiple times per year. Studies have shown requiring frequent password changes is counterproductive to good password security because people will choose weaker or common passwords if they are forced to change their passwords regularly. They tend to make simple, predictable changes — and bad actors quickly learn those patterns.

Microsoft also agrees that there is no point in forced password changes and has since removed that recommendation.

3- Make daily screening of new passwords against lists of common or compromised passwords mandatory.
Password screening (aka password filtering or monitoring) is a critical step that organizations must factor into their cybersecurity strategy. Without it, you run the risk of having a process in place that ensures new passwords are complex and unique but fails to check if these new passwords are compromised. Even a 30-character complex password can be weak if it is compromised. We believe that the ongoing screening of passwords against compromised lists should be mandatory.

You shouldn’t drive a car daily without the brakes working, and you shouldn’t do the same with employee passwords. Be safe.

By adopting the NIST’s Digital Identity Guidelines, password security will no longer be a weak link for enterprises. If you want to future-proof your password policy to mitigate the risk of employee account takeover, then check out how Enzoic can help you.


Read more on NIST: