The NIST password guidelines, which are regularly revised, have significantly changed numerous standards and best practices that cybersecurity professionals traditionally employ in developing password policies for their companies. A mainstay of these guidelines is the approach NIST advises for organizations in dealing with compromised passwords.
For quick background, The National Institute of Standards and Technology (NIST) is a non-regulatory federal agency within the U.S. Department of Commerce. Its mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.
NIST develops Federal Information Processing Standards (FIPS), which the Secretary of Commerce approves and with which federal agencies must comply. NIST also provides guidance documents and recommendations through its Special Publications (SP) 800-series.
NIST password guidelines often become the foundation for best practice recommendations across the security industry and are incorporated into other standards.
NIST 800-63-3: NIST’s Digital Identity Guidelines have made some long overdue changes when it comes to recommendations for user password management.
The new NIST password standards recommend, among other things:
All three of these password recommendations are things we have been advising for some time now and the NIST password screening recommendation is made simpler with Enzoic for Active Directory or our RESTful API service.
This guidance is also beneficial for complying with other aspects of NIST standards. For instance, control IA-5 in NIST SP 800-53 specifies the need to keep an updated list of breached passwords. NIST further emphasizes in control IA-5 that the directives for password-based authentication are relevant irrespective of their application in single-factor or multi-factor authentication systems. While MFA introduces an additional layer of security, the fundamental necessity of password integrity is undiminished. This underscores the critical need for vigilant management of compromised credentials, even in environments secured by MFA.
Although the NIST password standards don’t specifically mention it, we at Enzoic strongly advocate for an additional critical security practice: real-time monitoring of user-set passwords to ensure they haven’t been compromised. This involves regularly checking your user credentials against a comprehensive and constantly updated list of known compromised credentials. Enzoic offers specialized solutions to automate this essential security measure, ensuring your password integrity is maintained at all times. With the rising sophistication of cybercriminals and the increasing prevalence of data breaches, proactive risk management through robust password protection is essential for every service provider.