Skip to main content

Back to Blog

Surprising Password Guidelines from NIST

The NIST password guidelines, which are regularly revised, have significantly changed numerous standards and best practices that cybersecurity professionals traditionally employ in developing password policies for their companies. A mainstay of these guidelines is the approach NIST advises for organizations in dealing with compromised passwords.

For quick background, The National Institute of Standards and Technology (NIST) is a non-regulatory federal agency within the U.S. Department of Commerce. Its mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.

NIST develops Federal Information Processing Standards (FIPS), which the Secretary of Commerce approves and with which federal agencies must comply. NIST also provides guidance documents and recommendations through its Special Publications (SP) 800-series.

NIST password guidelines often become the foundation for best practice recommendations across the security industry and are incorporated into other standards.

NIST 800-63-3: NIST’s Digital Identity Guidelines have made some long overdue changes when it comes to recommendations for user password management.

The new NIST password standards recommend, among other things:

  • Remove periodic password change requirements
    This is one that legions of corporate employees forced to create a new password every month will surely be happy about. There have been multiple studies that have shown requiring frequent password changes to actually be counterproductive to good password security, but the industry has doggedly held on to the practice. Hopefully, these new recommendations will change the practice of frequent password resets and contribute to the creation of a more user-friendly and secure password environment.
  • Drop the algorithmic complexity song and dance
    No more arbitrary password complexity requirements needing mixtures of upper case letters, lower case letters, special characters, symbols, and numbers. Like frequent password changes, it’s been shown repeatedly that these types of restrictions often result in worse passwords, making it easier for hackers to exploit vulnerabilities.
  • Require screening of new passwords against lists of commonly used or compromised passwords
    This is one near and dear to our hearts here at Enzoic. One of the best ways to ratchet up the password strength of your users’ credentials is to screen them against lists of dictionary passwords and known compromised passwords. This functionality can significantly reduce the risk of weak passwords and data breaches, ensuring a higher level of information security.

All three of these password recommendations are things we have been advising for some time now and the NIST password screening recommendation is made simpler with Enzoic for Active Directory or our RESTful API service.

This guidance is also beneficial for complying with other aspects of NIST standards. For instance, control IA-5 in NIST SP 800-53 specifies the need to keep an updated list of breached passwords. NIST further emphasizes in control IA-5 that the directives for password-based authentication are relevant irrespective of their application in single-factor or multi-factor authentication systems. While MFA introduces an additional layer of security, the fundamental necessity of password integrity is undiminished. This underscores the critical need for vigilant management of compromised credentials, even in environments secured by MFA.

Although the NIST password standards don’t specifically mention it, we at Enzoic strongly advocate for an additional critical security practice: real-time monitoring of user-set passwords to ensure they haven’t been compromised. This involves regularly checking your user credentials against a comprehensive and constantly updated list of known compromised credentials. Enzoic offers specialized solutions to automate this essential security measure, ensuring your password integrity is maintained at all times. With the rising sophistication of cybercriminals and the increasing prevalence of data breaches, proactive risk management through robust password protection is essential for every service provider.

Learn how to satisfy NIST 800-63B and request a free trial.


Read more: