Skip to main content
password reset icon
Stop forced password reset

Multiple studies have shown requiring frequent password changes is actually counterproductive to good password security.

complex password icon
Drop the algorithmic complexity song and dance

No more arbitrary password complexity requirements needing mixtures of upper case letters, symbols and numbers. Like frequent password changes, it’s been shown repeatedly that these types of restrictions often result in worse passwords.

list icon
Require screening of new passwords against lists of commonly used or compromised passwords

One of the best ways to ratchet up the strength of your users’ passwords is to screen them against lists of dictionary passwords and known compromised passwords.

OVERVIEW

Why NIST Recommends Password Screening

NIST encourages organizations to monitor new passwords daily to prevent the use of commonly compromised credentials. The NIST 800-63B password compliance continuous enforcement improves both security and usability.

People follow very common patterns in password selection, even when a written password policy is in place. Bad actors use lists of common passwords and patterns found in previous breaches to narrow the universe of passwords attempted in their attacks. Guessing passwords becomes easier when the actual set of passwords is predictable.

HOW IT WORKS

Satisfying NIST Password Compliance

Enzoic continuously collects compromised passwords and aggregates cracking dictionaries to maintain a comprehensive, constantly updated blacklist of unsafe credentials. This list contains billions of entries sourced not only from historical breaches, but also from the Dark Web, Deep Web, and infostealer malware logs. Our Threat Intelligence team monitors emerging attacker tools and tactics to ensure new exposures are added as quickly as they appear.

Meeting NIST’s password compliance requirements becomes straightforward with Enzoic. Our researchers curate unsafe passwords from breached datasets, cracking dictionaries, and underground sources, then deliver them through our Active Directory plugin and RESTful API, making it easy for organizations to screen and block unsafe credentials.

NEW NIST UPDATE

NIST SP 800-63B Rev. 4 Updates

The recently released NIST 800-63B Rev 4 introduces refinements to password compliance requirements:

  • Minimum 15-character length for admin accounts
  • Rejection of compromised and dictionary-based passwords
  • Emphasis on continuous password monitoring

Enzoic makes adopting NIST 800-63B Rev. 4 updates seamless with automated enforcement in Active Directory. Explore the latest password updates.

HOW IT HELPS ME

The Benefits of Creating a NIST Password Policy

Adopting a NIST password policy improves user experience by eliminating password complexity rules and reducing frequent password resets. It lowers IT administrative costs by cutting password reset calls and automated remediation. It also improves security by following modern industry recommendations for passwords.

NIST password compliance case study ->

Frequently Asked Questions

Why should I care about NIST password guidelines?

The National Institute of Standards and Technology is an agency of the United States Department of Commerce whose mission is to promote American innovation and industrial competitiveness. NIST develops cybersecurity standards, guidelines, and best practices to serve US-based industry and US federal agencies.

NIST’s Digital Identity Guidelines (Special Publication 800-63B) offer dependable recommendations for managing identity and access, including the establishment of effective password guidelines and password policies. These guidelines are widely adopted across industries and organizations as a security standard.  It also helps organizations with cyber insurance requirements

  1. The NIST guidelines advocate for reducing password complexity requirements to improve usability without compromising security.  Although imposing complex password requirements enhances their resilience against cracking attempts by attackers, it also renders passwords more challenging for users to recall. This often leads to user behaviors such as cyclically reusing the same or similar passwords, which in turn heightens security vulnerabilities.
  2. Hence, NIST now advises for less stringent complexity requirements.
    NIST also emphasize the importance of regularly checking passwords against breach databases and common dictionary words to prevent the use of compromised credentials. This measure prevents users from selecting and employing compromised passwords, thereby enhancing the security of organizations and reducing the risk of a data breach originating from compromised passwords.

Yes, the NIST guidelines recommend comparing passwords against known breach databases and common dictionary words to identify and reject compromised credentials. This proactive approach helps organizations prevent unauthorized access and mitigate security risks.

Enzoic for Active Directory enables one-click compliance by continuously screening for weak, expected, and compromised passwords, ensuring automated NIST password compliance with minimal admin overhead.

Many tools claim to help with NIST password compliance, but they rely on static blacklists or only check passwords at creation. Enzoic continuously screens every password in Active Directory against billions of compromised credentials, updated daily. This ensures organizations achieve true continuous NIST compliance instead of one-time checks, reducing their risk of credential-based attacks.

Resources

Blog

The Benefits NIST Password Guidelines for Security

NIST password guidelines have real-world applications in every organization. Here's what you can do to stop your passwords from being compromised.

Read More

Resource Hub

CISO Guide to Password Security: NIST 800-63B

How to Implement and Automate the Key Elements of NIST 800-63B. This paper covers best practices for NIST-compliant password security and key benefits of automating password policies.

Download the Paper

Blog

NIST IA-5 Compliance

Understanding the Role of NIST IA-5 in SP 800-53. One essential aspect is the Control Enhancement IA-5 for password-based authentication.

Read More